Manage NetworkPolicies cluster-wide
NetworkManipulation
Critical
Overview
| Field | Value |
|---|---|
| ID | 1071 |
| Name | Manage NetworkPolicies cluster-wide |
| Risk Category | NetworkManipulation |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | networking.k8s.io |
| Resources | networkpolicies |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService LateralMovement NetworkManipulation NetworkPolicyManagement Tampering |
Description
Allows creating, modifying, or deleting NetworkPolicies in any namespace. This can be used to disable network segmentation, allow/deny traffic to sensitive pods, or isolate critical components, leading to information disclosure, lateral movement, or denial of service.
Abuse Scenarios
- Create a NetworkPolicy to allow all ingress traffic to pods in a namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {} # Selects all pods in the namespace
policyTypes:
- Ingress
ingress:
- {} # Allows all ingress
EOF
# Example: kubectl create -n production -f - <<EOF ... EOF
- Delete a critical NetworkPolicy, removing network segmentation.
kubectl delete networkpolicy <networkpolicy-name> -n <namespace>
# Example: kubectl delete networkpolicy deny-all-ingress -n default