Manage Services in a namespace
NetworkManipulation
High
Overview
| Field | Value |
|---|---|
| ID | 1076 |
| Name | Manage Services in a namespace |
| Risk Category | NetworkManipulation |
| Risk Level | High |
| Role Type | Role |
| API Groups | core |
| Resources | services |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService NetworkManipulation ServiceExposure Tampering |
Description
Permits creating, updating, or deleting Services within a specific namespace. This can lead to unintended exposure of applications, traffic misdirection, or denial of service within that namespace.
Abuse Scenarios
- Create a new NodePort Service to expose an internal application in the namespace.
kubectl create -n <namespace> -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: exposed-app-nodeport
spec:
selector:
app: <internal-app-label>
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: NodePort
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF
- Delete a critical Service within the namespace, causing unavailability.
kubectl delete service <service-name> -n <namespace>
# Example: kubectl delete service my-web-app -n production