Manage Ingresses (Namespace Service Exposure/Traffic Redirection)
NetworkManipulation
High
Overview
| Field | Value |
|---|---|
| ID | 1091 |
| Name | Manage Ingresses (Namespace Service Exposure/Traffic Redirection) |
| Risk Category | NetworkManipulation |
| Risk Level | High |
| Role Type | Role |
| API Groups | networking.k8s.io |
| Resources | ingresses |
| Verbs | create, update, patch, delete |
| Tags | DenialOfService NetworkManipulation ServiceExposure Tampering |
Description
Allows creating, updating, or deleting Ingress objects within a namespace. This can be used to expose internal services to external traffic, redirect legitimate traffic to malicious endpoints, or cause denial of service by misconfiguring routing rules.
Abuse Scenarios
- Create a new Ingress to expose an internal service or redirect traffic.
kubectl create -n <namespace> -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: malicious-ingress
spec:
rules:
- host: <malicious-hostname>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <internal-service-name>
port:
number: <internal-service-port>
EOF
# Example: kubectl create -n default -f - <<EOF ... EOF (expose 'my-app-service' on 'malicious.example.com')
- Delete an existing Ingress, causing external access disruption (DoS).
kubectl delete ingress <ingress-name> -n <namespace>
# Example: kubectl delete ingress my-web-ingress -n production