All articles
DEEP DIVE · 8 min read

Kubernetes Attack Paths You Should Know

Kubernetes makes lateral movement easy by design. Service accounts, host mounts and the API server form a triangle that turns a single RCE into cluster compromise faster than most teams realize.

Pod escapes

Privileged containers, hostPath mounts, hostPID and dangerous capabilities all let an attacker break out to the node.

Service-account abuse

Default tokens with cluster-admin still exist in the wild. Once mounted, the attacker talks straight to the API server.

  • Audit RBAC for wildcard verbs
  • Disable automountServiceAccountToken where unused
  • Bind ClusterRoles tightly

Detection that actually works

Watch for exec into pods, unexpected API calls, and new pods landing on sensitive nodes. Falco rules + audit logs catch most of it.

Tools mentioned

kubectlkube-hunterPeiratesKubescapeFalco
⟩ takeaway

Treat the cluster as one big trust boundary. Anything inside can become everything inside.

⟩ keep reading

Related articles