Skip to content

Potential Denial of Service via unrestricted CPU/memory and root user execution #407

Open
@zyue110026

Description

@zyue110026

We identified the usage of a combination of configuration parameters:

Undefined runAsUser  
Undefined runAsNonRoot  
Undefined readOnlyRootFilesystem  
[missing] resources.limits  

If parameters are undefined, Kubernetes will apply default values

This combination may result in resource exhaustion (CPU/memory) and privileged container execution, which can crash pods or destabilize the node (Denial of Service). Malicious or misbehaving containers can consume excessive resources or manipulate the filesystem, leading to unplanned outages or degraded performance.

We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-13/denial-of-service-memory-and-cpu-resources-in-kubernetes-cluster which demonstrates how missing resource constraints and running as root can be abused to perform DoS attacks on nodes.

Location:

https://github.com/dockersamples/example-voting-app/blob/main/k8s-specifications/db-deployment.yaml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions