Kubernetes Architecture

K8s

Kubernetes orchestrates containers at scale. Understanding its architecture reveals numerous attack vectors from the API server to kubelet and etcd.

Control Plane Components

API Server (6443)

• Central management interface
• REST API for all operations
• Authentication & Authorization
• Target for credential theft

etcd (2379)

• Cluster state database
• Stores secrets in plaintext
• High-value target
• Often unauthenticated

Kubelet (10250)

• Node agent on each worker
• Manages pod lifecycle
• Exec into containers
• Anonymous auth issues

Scheduler & Controller

• Pod placement decisions
• Maintains desired state
• Internal to control plane
• Less direct attack surface

Service Account Tokens

k8s-sa.sh

bash

# Default SA token location in pods
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

# Use token to query API server
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k -H "Authorization: Bearer $TOKEN" \
  https://kubernetes.default.svc/api/v1/namespaces/default/pods

# Check permissions
kubectl auth can-i --list

Kubernetes Architecture

Control Plane Components

API Server (6443)

etcd (2379)

Kubelet (10250)

Scheduler & Controller

Service Account Tokens

Related Topics

Container Escapes

K8s Enumeration