Manage NetworkPolicies in a namespace

Overview

Field	Value
ID	1072
Name	Manage NetworkPolicies in a namespace
Risk Category	NetworkManipulation
Risk Level	High
Role Type	Role
API Groups	networking.k8s.io
Resources	networkpolicies
Verbs	create, update, patch, delete
Tags	DenialOfService NetworkManipulation NetworkPolicyManagement Tampering

Description

Permits creating, modifying, or deleting NetworkPolicies within a specific namespace. This allows control over network traffic flow for applications within that namespace, potentially bypassing intended segmentation or causing denial of service.

Abuse Scenarios

Create a NetworkPolicy to allow all ingress traffic to pods in the namespace.

kubectl create -n <namespace> -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-ingress-ns
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - {}
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF

Delete a NetworkPolicy within the namespace, removing segmentation.

kubectl delete networkpolicy <networkpolicy-name> -n <namespace>
# Example: kubectl delete networkpolicy db-isolation -n production