Cloud Native Security
πŸ”₯ Advanced

Container & Kubernetes Security

Containers and Kubernetes have become the de facto standard for deploying modern applications. However, misconfigurations, excessive privileges, and weak isolation create significant attack surface. This guide covers container escapes, Kubernetes attacks, and cloud-native security testing.

Production Environment Caution

Container and Kubernetes attacks can disrupt production workloads. Always test in isolated lab environments. Escaping containers or escalating to cluster-admin can cause service outages.

Container vs Kubernetes Testing

🐳 Container Security (Docker/Podman)

  • β€’ Container escape to host OS
  • β€’ Privileged container abuse
  • β€’ Docker socket (/var/run/docker.sock) exploitation
  • β€’ Image vulnerability scanning
  • β€’ Secrets extraction from layers

☸️ Kubernetes Security

  • β€’ Cluster enumeration and RBAC bypass
  • β€’ Service account token theft
  • β€’ Pod escape to worker node
  • β€’ Lateral movement between namespaces
  • β€’ Secrets and ConfigMap extraction

Common Attack Vectors

1. Misconfigured RBAC

Overly permissive ClusterRoleBindings allow privilege escalation. Default service accounts with excessive permissions.

2. Exposed Kubernetes API

Internet-facing API server without authentication. Weak authentication mechanisms (static tokens, client certs).

3. Privileged Containers

Running containers with --privileged flag or dangerous capabilities (SYS_ADMIN, SYS_PTRACE) enables host escape.

4. Secrets in Images

Hardcoded credentials, API keys, and private keys embedded in container layers. Accessible via docker history.

Container Escape Techniques

Privileged Container

Mount host filesystem and chroot:

mkdir /host && mount /dev/sda1 /host && chroot /host

Docker Socket

Spawn privileged container:

docker -H unix:///host/var/run/docker.sock run -v /:/host -it alpine chroot /host

hostPath Volume

Pod mounts host filesystem:

volumeMounts: - mountPath: /host - name: hostfs

Kernel Exploits

Dirty COW, runc CVE-2019-5736:

./exploit β†’ root on host

Essential K8s Attack Tools

Enumeration

  • β€’ kubectl
  • β€’ kubeletctl
  • β€’ kdigger
  • β€’ kubeaudit

Exploitation

  • β€’ Peirates
  • β€’ kube-hunter
  • β€’ CDK (Container Duck)
  • β€’ BOtB

Scanning

  • β€’ Trivy
  • β€’ Grype
  • β€’ Clair
  • β€’ Falco (runtime)

Always Check Service Accounts

Inside a pod, service account tokens are mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. Use this token to authenticate to the Kubernetes API and enumerate cluster resources.

Guide Contents

πŸ“¦
1

Container Basics

Docker fundamentals and container isolation mechanisms.
πŸšͺ
2

Container Escapes

Breaking out of containers to access the host system.
☸️
3

K8s Architecture

Understanding Kubernetes security architecture.
πŸ”
4

K8s Enumeration

Discovering and enumerating Kubernetes clusters.
βš”οΈ
5

K8s Attacks

Exploiting Kubernetes misconfigurations.
πŸ”¬
6

Image Scanning

Scanning container images for vulnerabilities.
πŸ”—
7

Supply Chain

Container supply chain security and registry attacks.
πŸ‘οΈ
8

Runtime Security

Container runtime monitoring and evasion.
πŸ•ΈοΈ
9

Service Mesh

Attacking Istio and service mesh implementations.

Related Topics

Cloud Pentesting

CI/CD Supply Chain

API Pentesting