Kubernetes Attack Surface

less than 1 minute read

This is a short (and incomplete) overview of the attack surface for a Kubernetes cluster.

ServiceAccounts

A Kubernetes ServiceAccount gives access to the K8s API. By default this account is mounted in every pod and might give additional privileges in the cluster. As an example, a ServiceAccount might be able to list all pods in a namespace or list and read secrets.

The default mount location is /var/run/secrets/kubernetes.io/serviceaccount. In this directory the token and CA cert are stored. You can use those to talk to the K8s API:
kubectl --token=<token> --certificate-authority=<ca>

Etcd

Etcd is the ‘main database’ for Kubernetes. If you gain access to etcd, you can list all secrets in the cluster.
Use etcdctl.

Kubelet

Kubelet runs on every node in the cluster. If there is unauthenticated access, it might be possible to interact with the pods that are running on that node.
You can use this to gain shell or execute commands inside a pod and pivot into or away from the cluster. Use kubeletctl.

Twitter Facebook LinkedIn

Roy Stultiens

Kubernetes Attack Surface

ServiceAccounts

Etcd

Kubelet

You May Also Enjoy

Certified Azure Red Team Professional - CARTP

AWS - Exploiting Instance Metadata Service

Cloud Security - Azure Fundamentals

Anyone out there?