Kubernetes Threat Matrix

Initial access	Execution	Persistence	Privilege escalation	Defense evasion	Credential access	Discovery	Lateral movement	Collection	Impact
Using Cloud	Exec into Container	Backdoor Container	Privileged Container	Clear Container Logs	List K8s secrets	Access the K8s API server	Access cloud resources	Images from a private repository	Data Destruction
Compromised images in registry	bash/cmd in container	Writable hostPath mount	Cluster-admin binding	Delete k8s events	Mount service principal	Access Kubelet API	Container service account		Ressource hijacking
Kubeconfig file	New container	Kubernetes CronJob	hostPath mount	Pod / container name similarity	Access container service account	Network mapping	Cluster internal networking		Denial of Service
Application vulnerability	Application exploit (RCE)	Malicious admission controller	Access cloud resources	Connect from proxy server	Applications credentials in configuration files	Access Kubernetes dashboard	Applications credentials in configuration files
Exposed sensitive interfaces	SSH server running in inside container		Disable Namespacing		Access managed identity credentials	Instance metadata API	Writable volume mounts on the host
	Sidecar injection				Malicious admission controller		CoreDNS poisoning
							ARP poisoning and IP spoofing

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Impact

Access the K8s API server

Access cloud resources

Images from a private repository

Data Destruction

Compromised images in registry

bash/cmd in container

Writable hostPath mount

Cluster-admin binding

Delete k8s events

Mount service principal

Access Kubelet API

Container service account

Pod / container name similarity

Access container service account

Network mapping

Cluster internal networking

Denial of Service

Application vulnerability

Application exploit (RCE)

Malicious admission controller

Access cloud resources

Connect from proxy server

Applications credentials in configuration files

Access Kubernetes dashboard

Applications credentials in configuration files

Exposed sensitive interfaces

SSH server running in inside container

Disable Namespacing

Access managed identity credentials

Instance metadata API

Writable volume mounts on the host

Sidecar injection

Malicious admission controller

CoreDNS poisoning

ARP poisoning and IP spoofing

Applications credentials in configuration files

Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer’s endpoint, can steal the stored secrets and use them.

Example

Create a pod that has a sensitive environment variables configured:

apiVersion: v1
kind: Pod
metadata:
  name: postgres-db-pod
spec:
  containers:
  - image: postgres
    name: postgres-db-pod
    env:
    - name: POSTGRES_PASSWORD
      value: "mysecretpassword"

With a configuration like this, everyone who can get the information about the pod can read the sensitive configuration set with the POSTGRES_PASSWORD environment variable.

$ kubectl describe pod postgres-db-pod
Name:             postgres-db-pod
Namespace:        default
...
Containers:
  postgres-db-pod:
    Container ID:   containerd://e8644ea896bde6b8bb7df5f778df4badfc00d4c1d2f0fa76d52877a4221b7663
    Image:          postgres
    ...
    Environment:
      POSTGRES_PASSWORD:  mysecretpassword
    ...

Using Kubernetes secrets instead (you can still make them avaulable as environment variables in the pod) this specific attack technique/scenario is mitigated.