Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.
Also, attackers can deploy their containers in the kube-system namespace where the administrative containers reside.
The following deploys a pod in the kube-system
namespace (assuming the attacker has the necessary permissions) with a name that looks as it is necessary for Kubernetes to work as intended. The same could also be done by using a Deployment.
$ kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
...
coredns-b96499967-r4zrt 1/1 Running 0 32h
apiVersion: v1
kind: Pod
metadata:
name: coredns-b96499967-r5zrt
namespace: kube-system
spec:
containers:
- image: nginx # would in reality be a malicious image
name: coredns
$ kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
...
coredns-b96499967-r4zrt 1/1 Running 0 32h
...
coredns-b96499967-r5zrt 1/1 Running 0 5s