Manage Services cluster-wide
NetworkManipulation
Critical
Overview
| Field | Value |
|---|---|
| ID | 1075 |
| Name | Manage Services cluster-wide |
| Risk Category | NetworkManipulation |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | core |
| Resources | services |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService NetworkManipulation ServiceExposure Tampering |
Description
Allows creating, updating, or deleting Services in any namespace. This can be abused to expose internal applications, modify service types (e.g., ClusterIP to LoadBalancer), redirect traffic (by changing selectors), or cause denial of service.
Abuse Scenarios
- Create a new LoadBalancer Service to expose an internal application externally.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: exposed-internal-app
spec:
selector:
app: <internal-app-label>
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: LoadBalancer
EOF
# Example: kubectl create -n production -f - <<EOF ... EOF (expose a database)
- Delete a critical Service, causing application unavailability (DoS).
kubectl delete service <service-name> -n <namespace>
# Example: kubectl delete service kubernetes -n default