Manage Cilium ClusterwideNetworkPolicies (cilium.io)
NetworkManipulation
Critical
Overview
| Field | Value |
|---|---|
| ID | 1064 |
| Name | Manage Cilium ClusterwideNetworkPolicies (cilium.io) |
| Risk Category | NetworkManipulation |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | cilium.io |
| Resources | ciliumclusterwidenetworkpolicies |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService NetworkManipulation NetworkPolicyManagement Tampering |
Description
Permits managing CiliumClusterwideNetworkPolicies, which control network traffic flow across the entire cluster when using Cilium CNI. An attacker can modify these policies to bypass network segmentation, eavesdrop on traffic, or cause denial of service by isolating critical components.
Abuse Scenarios
- Create a CiliumClusterwideNetworkPolicy to allow all ingress/egress traffic.
kubectl create -f - <<EOF
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-all-traffic
spec:
endpointSelector: {} # Applies to all endpoints
ingress:
- fromEntities:
- all
egress:
- toEntities:
- all
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete a critical CiliumClusterwideNetworkPolicy, removing network segmentation.
kubectl delete ciliumclusterwidenetworkpolicy <policy-name>
# Example: kubectl delete ciliumclusterwidenetworkpolicy default-deny-all