Overview

FieldValue
ID1079
NameManage PodDisruptionBudgets cluster-wide
Risk CategoryDenial of Service
Risk LevelMedium
Role TypeClusterRole
API Groupspolicy
Resourcespoddisruptionbudgets
Verbscreate, update, patch, delete
TagsAvailabilityImpact DenialOfService Tampering

Description

Allows creating, updating, or deleting PodDisruptionBudgets (PDBs) cluster-wide. Maliciously configured PDBs (e.g., setting maxUnavailable to 0 for critical components) can prevent voluntary disruptions, or conversely, allow too many disruptions, leading to denial of service or impacting application availability.

Abuse Scenarios

  1. Create a PDB to prevent voluntary disruption of critical pods (DoS).
bash
kubectl create -n <namespace> -f - <<EOF
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: no-disruption-pdb
spec:
  minAvailable: 100% # Or maxUnavailable: 0
  selector:
    matchLabels:
      app: <critical-app-label>
EOF
# Example: kubectl create -n kube-system -f - <<EOF ... EOF (for coredns)
  1. Delete an existing PDB, allowing disruptions that were previously prevented.
bash
kubectl delete poddisruptionbudget <pdb-name> -n <namespace>
# Example: kubectl delete pdb my-app-pdb -n production