Primary

Context

Kubernetes NodeRestriction Admission Controller Self-Deletion Vulnerability

Vulnerability

Patched

A vulnerability in the NodeRestriction admission controller allows node users to delete their node objects by patching themselves with an OwnerReference to a cluster-scoped resource. If the referenced resource is absent or deleted, the node object is removed through garbage collection. This issue affects Kubernetes clusters with NodeRestriction enabled but without the OwnerReferencesPermissionEnforcement admission controller. Vulnerable kube-apiserver versions include 1.31.11 and prior, 1.32.7 and prior, and 1.33.3 and prior.

Impact

Exploitation of this vulnerability allows a node to delete and recreate its node object with altered taints or labels, potentially enabling control over which pods are scheduled on the compromised node.

Remediation

Upgrade to a patched kube-apiserver version (1.31.12 or later, 1.32.8 or later, 1.33.4 or later) or enable the OwnerReferencesPermissionEnforcement admission controller.

Added: Aug 27, 2025, 5:17 PM

Updated: Aug 27, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

4.8

remediation

8.3

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

4.8

remediation

8.3

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kubernetes NodeRestriction Admission Controller Self-Deletion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Kubernetes kube-apiserver

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating