Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 02. Containers / Container Escape / Attacks

Kubernetes From Container

Kubernetes changes the container escape question.

From inside a pod, the first objective is often not direct host escape. It is Kubernetes API access through the pod's service account.


Detection

Check for Kubernetes environment variables:

env | grep -i kubernetes

Check service account files:

ls -la /var/run/secrets/kubernetes.io/serviceaccount
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

Common files:

/var/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
/var/run/secrets/kubernetes.io/serviceaccount/namespace

API Access

Set variables:

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
API="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"

Check API:

curl --cacert "$CA" -H "Authorization: Bearer $TOKEN" "$API/version"

Get namespace:

NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)

List pods if permitted:

curl --cacert "$CA" -H "Authorization: Bearer $TOKEN" \
  "$API/api/v1/namespaces/$NS/pods"

With kubectl

If kubectl is available:

kubectl auth can-i --list
kubectl get pods
kubectl get secrets
kubectl get serviceaccounts

Check specific high-impact permissions:

kubectl auth can-i create pods
kubectl auth can-i get secrets
kubectl auth can-i create pods/exec
kubectl auth can-i list nodes
kubectl auth can-i '*' '*'

High-Impact Permissions

High-value Kubernetes permissions include:

get/list/watch secrets
create pods
create pods/exec
create pods/attach
create daemonsets
create deployments
patch pods
use privileged pod security policy / privileged admission path
list nodes
get nodes/proxy
impersonate users/groups/serviceaccounts

Impact depends on cluster policy.

For example, create pods becomes much more serious if the namespace allows privileged pods or hostPath mounts.


Pod-To-Node Paths

Possible paths from Kubernetes permissions to node impact:

  • Create privileged pod
  • Mount hostPath /
  • Use host PID namespace
  • Use host network namespace
  • Deploy daemonset to nodes
  • Read node credentials or kubelet files
  • Abuse overly broad service account tokens

These are Kubernetes misconfigurations, not generic Docker escapes.


Remediation

  • Disable automatic service account token mounting where not needed.
  • Use least-privilege RBAC.
  • Do not grant broad get secrets permissions.
  • Prevent untrusted workloads from creating privileged pods.
  • Restrict hostPath mounts.
  • Restrict host PID, host IPC, and host network.
  • Use admission controls and Pod Security Standards.
  • Separate namespaces by trust level.
  • Rotate exposed service account tokens.
  • Monitor Kubernetes API calls from pods.

Inside Kubernetes, the API server is often the real control plane.