Manage PodDisruptionBudgets cluster-wide
Denial of Service
Medium
Overview
Field | Value |
---|---|
ID | 1079 |
Name | Manage PodDisruptionBudgets cluster-wide |
Risk Category | Denial of Service |
Risk Level | Medium |
Role Type | ClusterRole |
API Groups | policy |
Resources | poddisruptionbudgets |
Verbs | create, update, patch, delete |
Tags | AvailabilityImpact DenialOfService Tampering |
Description
Allows creating, updating, or deleting PodDisruptionBudgets (PDBs) cluster-wide. Maliciously configured PDBs (e.g., setting maxUnavailable to 0 for critical components) can prevent voluntary disruptions, or conversely, allow too many disruptions, leading to denial of service or impacting application availability.
Abuse Scenarios
- Create a PDB to prevent voluntary disruption of critical pods (DoS).
bash
kubectl create -n <namespace> -f - <<EOF
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: no-disruption-pdb
spec:
minAvailable: 100% # Or maxUnavailable: 0
selector:
matchLabels:
app: <critical-app-label>
EOF
# Example: kubectl create -n kube-system -f - <<EOF ... EOF (for coredns)
- Delete an existing PDB, allowing disruptions that were previously prevented.
bash
kubectl delete poddisruptionbudget <pdb-name> -n <namespace>
# Example: kubectl delete pdb my-app-pdb -n production