Evict Pods in a namespace
Denial of Service
Medium
Overview
| Field | Value |
|---|---|
| ID | 1058 |
| Name | Evict Pods in a namespace |
| Risk Category | Denial of Service |
| Risk Level | Medium |
| Role Type | Role |
| API Groups | policy |
| Resources | pods/eviction |
| Risky Verb Combinations | [create] |
| Tags | DenialOfService WorkloadLifecycle |
Description
Allows evicting (deleting) pods within a specific namespace using the eviction API. This can disrupt applications running in that namespace, leading to a localized denial of service.
Abuse Scenarios
- Evict a specific pod within the namespace by directly calling the eviction API.
bash
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X POST \
--data '{"apiVersion":"policy/v1","kind":"Eviction","metadata":{"name":"<pod-name>","namespace":"<namespace>"}}' \
https://<kubernetes-api-server>/api/v1/namespaces/<namespace>/pods/<pod-name>/eviction
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" --data '{"apiVersion":"policy/v1","kind":"Eviction","metadata":{"name":"my-app-pod-xyz","namespace":"production"}}' https://127.0.0.1:6443/api/v1/namespaces/production/pods/my-app-pod-xyz/eviction