Kubernetes
What You Will Learn
- How Kubernetes organizes and manages containers
- What pods, services, namespaces, and nodes are
- How to enumerate a Kubernetes cluster as an attacker
- How to escape containers via the containerd socket
What Is It?
Kubernetes (K8s) is an open-source container orchestration platform. It automates the deployment, scaling, and management of containerized applications. Large-scale cloud deployments almost always use Kubernetes.
From a security perspective, Kubernetes introduces unique attack surfaces: misconfigured RBAC, exposed dashboards, overly permissive service accounts, and accessible container runtimes.
Why It Matters
Kubernetes is standard in enterprise environments. Gaining access to a Kubernetes cluster can mean access to dozens or hundreds of services, databases, and internal APIs.
Terminology
| Term | Description |
|---|---|
| Node | A physical or virtual machine with actual resources (CPU, RAM) |
| Cluster | A group of nodes — one master and any number of workers |
| Pod | One or more containers that share storage and network |
| Namespace | Logical isolation for resources — keeps secrets separate between services |
| Service | A way to expose an application running on pods as a network service |
Types of Kubernetes Services
| Type | Description |
|---|---|
| ClusterIP | Only reachable within the cluster |
| LoadBalancer | Single entry point from outside the cluster |
| NodePort | Exposes a port on the cluster to outside services |
| ExternalName | Maps a service to a DNS name |
kubectl Commands
# Get all pods in all namespaces
kubectl get pods --all-namespaces
kubectl get pods -n <namespace>
# Get all services
kubectl get svc -n <namespace>
# Get all deployments
kubectl get deployments -n <namespace>
# Describe a pod (shows volumes, environment variables)
kubectl describe pod <pod-name> -n <namespace>
# Execute a command in a running pod
kubectl exec -it <pod-name> -n <namespace> -- /bin/sh
# View pod logs
kubectl logs <pod-name> -n <namespace>
# Get all secrets (if you have permission)
kubectl get secrets -n <namespace>
kubectl get secret <name> -n <namespace> -o jsonpath='{.data}' | base64 -d
Pentesting Kubernetes
Enumerate from Inside a Pod
When you land in a container, check if it has elevated access to the Kubernetes API:
# Service account token is automatically mounted
cat /var/run/secrets/kubernetes.io/serviceaccount/token
# Kubernetes API address
env | grep KUBERNETES
# Query the API using the service account token
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k https://kubernetes.default.svc/api/v1/namespaces \
-H "Authorization: Bearer $TOKEN"
# List secrets (if allowed)
curl -k https://kubernetes.default.svc/api/v1/namespaces/default/secrets \
-H "Authorization: Bearer $TOKEN"
containerd.sock — Container Escape
containerd.sock (often at /run/containerd/containerd.sock) is where clients connect to the containerd runtime. If this socket is mounted inside a container, you can use it to escape.
Docker uses it to tell containerd to run containers. Kubernetes uses it via the CRI plugin.
# Check if socket is mounted
ls -la /var/run/containerd/containerd.sock
ls -la /var/run/docker.sock
# Use crictl to interact with containerd
crictl -r unix:///run/containerd/containerd.sock images
crictl -r unix:///run/containerd/containerd.sock ps
Kubernetes Dashboard
An exposed Kubernetes dashboard can allow full cluster control if RBAC is not configured:
# Access dashboard proxy
kubectl proxy
# Then browse: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/