DEEP DIVE · 8 min read
Kubernetes Attack Paths You Should Know
Kubernetes makes lateral movement easy by design. Service accounts, host mounts and the API server form a triangle that turns a single RCE into cluster compromise faster than most teams realize.
Pod escapes
Privileged containers, hostPath mounts, hostPID and dangerous capabilities all let an attacker break out to the node.
Service-account abuse
Default tokens with cluster-admin still exist in the wild. Once mounted, the attacker talks straight to the API server.
- Audit RBAC for wildcard verbs
- Disable automountServiceAccountToken where unused
- Bind ClusterRoles tightly
Detection that actually works
Watch for exec into pods, unexpected API calls, and new pods landing on sensitive nodes. Falco rules + audit logs catch most of it.
Tools mentioned
kubectlkube-hunterPeiratesKubescapeFalco
⟩ takeaway
Treat the cluster as one big trust boundary. Anything inside can become everything inside.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.