Manage FlowSchemas (API Server DoS/Manipulation)
Denial of Service
Critical
Overview
| Field | Value |
|---|---|
| ID | 1098 |
| Name | Manage FlowSchemas (API Server DoS/Manipulation) |
| Risk Category | Denial of Service |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | flowcontrol.apiserver.k8s.io |
| Resources | flowschemas |
| Verbs | create, update, patch, delete |
| Tags | APIServerDoS ControlPlaneDisruption DenialOfService Tampering |
Description
Allows managing FlowSchema objects cluster-wide. FlowSchemas are part of API Priority and Fairness, controlling how API requests are categorized and prioritized. Misconfiguration can lead to denial of service against the API server for critical components or allow certain requests to bypass throttling, potentially overwhelming the server.
Abuse Scenarios
- Create a new FlowSchema to prioritize malicious traffic or starve legitimate traffic.
kubectl create -f - <<EOF
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
name: malicious-flowschema
spec:
matchingPrecedence: 10000 # High precedence
priorityLevelConfiguration:
name: exempt # Assuming an exempt priority level exists
rules:
- resourceRules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create"]
subjects:
- kind: User
name: <attacker-user>
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing FlowSchema, disrupting API priority and fairness.
kubectl delete flowschema <flowschema-name>
# Example: kubectl delete flowschema system-leader-election