DoS the memory/CPU resources

Scenario Information

There is no specification of resources in the Kubernetes manifests and not applied limit ranges for the containers. As an attacker, we can consume all the resources where the pod/deployment running and starve other resources and cause a DoS for the environment.

Scenario 13 Welcome

Scenario Solution

  • This deployment pod has not set any resource limits in the Kubernetes manifests. So we can easily perform the bunch of operations which can consume resources
  • In this pod we have installed a utility called stress-ng
stress-ng --vm 2 --vm-bytes 2G --timeout 30s

Scenario 13 stress-ng

  • You can see the difference between while running stress-ng and after
kubectl top pod hunger-check-deployment-xxxxxxxxxx-xxxxx

Scenario 13 kubectl top

This attack may not work in some cases like autoscaling, resource restrictions, etc.