With the correct privileges an attacker can use the Kubernetes API to obtain a shell on a running pod.
|PermissionSet||Pod||Lateral Movement, TA0008|
An attacker with sufficient permissions can execute arbitrary commands inside the container using the
kubectl exec command.
Ability to interrogate the K8s API with a role allowing exec access to pods which have the binary you want to execute (e.g.
See the example pod spec.
Simply ask kubectl:
Spawn a new interactive shell on the target pod:
- Monitor for pod exec from within an existing pod
- This activity will be BAU for SREs and as such monitoring for follow on actions may be more fruitful
Implement least privilege access
Pod interactive execution is a very powerful privilege and should not be required by the majority of users. Use an automated tool such a KubeHound to search for any risky permissions and users in the cluster and look to eliminate them.