Denial of Service in Kubernetes

A misconfigured CronJob creates thousands of pods overnight. A stolen service account token spawns replicas until every node runs out of memory. A crafted YAML payload crashes the API server in seconds. Denial of service in Kubernetes goes far beyond network floods. The attack surface spans every layer of the cluster, from individual containers to the control plane's backing store.

The KCSA threat model treats DoS as a distinct attack category for good reason: each vector targets a different component, and each requires a specific defense. This article maps five DoS attack surfaces to the Kubernetes-native controls that block them.