Update Deployment Scale (Resource Abuse/DoS)
Denial of Service
High
Overview
| Field | Value |
|---|---|
| ID | 1096 |
| Name | Update Deployment Scale (Resource Abuse/DoS) |
| Risk Category | Denial of Service |
| Risk Level | High |
| Role Type | Role |
| API Groups | apps |
| Resources | deployments/scale |
| Risky Verb Combinations | [update] · [patch] |
| Tags | DenialOfService ResourceModification Tampering WorkloadLifecycle |
Description
Allows updating the ‘scale’ subresource of Deployments within a namespace. This can be abused to significantly increase or decrease the number of replicas for a deployment, potentially leading to resource exhaustion, denial of service, or unexpected operational costs.
Abuse Scenarios
- Scale a deployment to a very high number of replicas (resource exhaustion).
kubectl scale deployment <deployment-name> -n <namespace> --replicas=1000
# Example: kubectl scale deployment my-web-app -n default --replicas=1000
- Scale a deployment to zero replicas (denial of service).
kubectl scale deployment <deployment-name> -n <namespace> --replicas=0
# Example: kubectl scale deployment my-api -n production --replicas=0