|Pod||Container||Lateral Movement, TA0008|
Attach to a container running within a pod given access to the pod.
In order to attach a container running in a pod, you can create a debugging container with the
kubectl debug command. It will spawn an ephemeral container that will attach to the console. To do so you need:
+ The target pod
+ The image to spawn as an ephemeral container
In order to access the target process, you need the id of the targeted container. Then by using the
--target flag, the ephemeral container will share the linux process namespace with the target By default, the process namespace is not shared between containers in a pod.
Permissions to debug the pod
Check if sufficient permissions to attach to pods in the namespace of the target. First find the pod's namespace and id:
Then check permissions:
Create and attach an ephemeral debugging container to the target pod via:
To determine the containers running in the pod (required to set a target above), you can use:
- Monitor K8s audit logs for pod debug events as these should be fairly unusual, but may be triggered by legitimate SRE or developer activities.