Update NetworkPolicy Status (Cluster-wide Tampering)
Tampering
Medium
Overview
| Field | Value |
|---|---|
| ID | 1093 |
| Name | Update NetworkPolicy Status (Cluster-wide Tampering) |
| Risk Category | Tampering |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | networking.k8s.io |
| Resources | networkpolicies/status |
| Verbs | update, patch |
| Tags | NetworkPolicyManagement Reconnaissance Tampering |
Description
Allows updating the status of NetworkPolicy objects across all namespaces. This could be abused to misrepresent the enforcement status of network policies, potentially hiding policy violations or misleading administrators about network segmentation.
Abuse Scenarios
- Patch a NetworkPolicy’s status to falsely indicate it’s not ready or failed.
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X PATCH \
--data '{"status":{"conditions":[{"type":"Ready","status":"False","reason":"PolicyError","message":"Policy failed to apply due to internal error."}]}}' \
https://<kubernetes-api-server>/apis/networking.k8s.io/v1/namespaces/<namespace>/networkpolicies/<policy-name>/status
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X PATCH --data '{"status":{"conditions":[{"type":"Ready","status":"False","reason":"PolicyError","message":"Policy failed to apply due to internal error."}]}}' https://127.0.0.1:6443/apis/networking.k8s.io/v1/namespaces/default/networkpolicies/my-policy/status