Manage NetworkPolicies in a namespace
NetworkManipulation
High
Overview
| Field | Value |
|---|---|
| ID | 1072 |
| Name | Manage NetworkPolicies in a namespace |
| Risk Category | NetworkManipulation |
| Risk Level | High |
| Role Type | Role |
| API Groups | networking.k8s.io |
| Resources | networkpolicies |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | DenialOfService NetworkManipulation NetworkPolicyManagement Tampering |
Description
Permits creating, modifying, or deleting NetworkPolicies within a specific namespace. This allows control over network traffic flow for applications within that namespace, potentially bypassing intended segmentation or causing denial of service.
Abuse Scenarios
- Create a NetworkPolicy to allow all ingress traffic to pods in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress-ns
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Delete a NetworkPolicy within the namespace, removing segmentation.
kubectl delete networkpolicy <networkpolicy-name> -n <namespace>
# Example: kubectl delete networkpolicy db-isolation -n production