Update StatefulSet Scale (Resource Abuse/DoS)
Denial of Service
High
Overview
| Field | Value |
|---|---|
| ID | 1097 |
| Name | Update StatefulSet Scale (Resource Abuse/DoS) |
| Risk Category | Denial of Service |
| Risk Level | High |
| Role Type | Role |
| API Groups | apps |
| Resources | statefulsets/scale |
| Verbs | update, patch |
| Tags | DataLoss DenialOfService ResourceModification Tampering WorkloadLifecycle |
Description
Allows updating the ‘scale’ subresource of StatefulSets within a namespace. This can be abused to significantly increase or decrease the number of replicas for a stateful application, potentially leading to resource exhaustion, denial of service, data inconsistencies, or unexpected operational costs.
Abuse Scenarios
- Scale a StatefulSet to a very high number of replicas (resource exhaustion).
kubectl scale statefulset <statefulset-name> -n <namespace> --replicas=1000
# Example: kubectl scale statefulset my-database -n production --replicas=1000
- Scale a StatefulSet to zero replicas (denial of service and potential data loss).
kubectl scale statefulset <statefulset-name> -n <namespace> --replicas=0
# Example: kubectl scale statefulset my-redis -n default --replicas=0