Potential Denial of Service via unrestricted CPU/memory and root user execution

Question

Potential Denial of Service via unrestricted CPU/memory and root user execution

Opened this issue 4 months ago · 0 comments

We identified the usage of a combination of configuration parameters:

Undefined runAsUser  
Undefined runAsNonRoot  
Undefined readOnlyRootFilesystem  
[missing] resources.limits

If parameters are undefined, Kubernetes will apply default values

This combination may result in resource exhaustion (CPU/memory) and privileged container execution, which can crash pods or destabilize the node (Denial of Service). Malicious or misbehaving containers can consume excessive resources or manipulate the filesystem, leading to unplanned outages or degraded performance.

We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-13/denial-of-service-memory-and-cpu-resources-in-kubernetes-cluster which demonstrates how missing resource constraints and running as root can be abused to perform DoS attacks on nodes.

Location:

https://github.com/dockersamples/example-voting-app/blob/main/k8s-specifications/db-deployment.yaml