Description
We identified the usage of a combination of configuration parameters:
Undefined runAsUser
Undefined runAsNonRoot
Undefined readOnlyRootFilesystem
[missing] resources.limits
If parameters are undefined, Kubernetes will apply default values
This combination may result in resource exhaustion (CPU/memory) and privileged container execution, which can crash pods or destabilize the node (Denial of Service). Malicious or misbehaving containers can consume excessive resources or manipulate the filesystem, leading to unplanned outages or degraded performance.
We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-13/denial-of-service-memory-and-cpu-resources-in-kubernetes-cluster which demonstrates how missing resource constraints and running as root can be abused to perform DoS attacks on nodes.
Location:
https://github.com/dockersamples/example-voting-app/blob/main/k8s-specifications/db-deployment.yaml