Kubernetes Attack Surface
Kubernetes exposes multiple components that attackers can target. Understanding this attack surface is critical for effective penetration testing and security assessment.
Primary Attack Targets
API Server
Central management hub (6443)
etcd
Cluster state database (2379)
Kubelet
Node agent (10250/10255)
Container Runtime
containerd/CRI-O/Docker
Critical Risk Areas
- API Server (6443) - Anonymous auth, RBAC bypass, privilege escalation
- etcd (2379) - Direct secret extraction, cluster state manipulation
- Kubelet (10250) - Container command execution, pod manipulation
- Container Runtime - Breakout techniques, socket access
K8s Pentest Kill Chain
A structured approach to Kubernetes penetration testing follows these phases from initial reconnaissance to full cluster compromise.
Attack Phases
Reconnaissance
Shodan, kubectl enum, DNS
Initial Access
Dashboard, kubelet, API
Exploitation
Container escape, RBAC
Cluster Takeover
Persistence, lateral movement
Common Attack Techniques
Container Escape Methods
Privilege Escalation
Key Reconnaissance Targets
- External: Shodan/Censys for exposed dashboards, API servers, etcd
- Internal: kubectl enumeration, RBAC audit, secret discovery
- Cloud: Metadata service (169.254.169.254) for credentials
- DNS: Service discovery via cluster DNS enumeration
MITRE ATT&CK Mapping
Kubernetes attacks map directly to the MITRE ATT&CK for Containers framework, providing standardized threat modeling and detection capabilities.
Attack Tactics Progression
Initial Access
Exploit exposed APIs, valid credentials, compromised images
Execution
kubectl exec, container admin commands, deploy containers
Persistence
CronJobs, static pods, backdoor containers, admission webhooks
Privilege Escalation
Container escape, RBAC abuse, hostPath mounts
Defense Evasion
Delete events/logs, pod name masquerading, proxy servers
Credential Access
Service account tokens, secrets, cloud metadata
Essential Pentesting Tools
Reconnaissance & Scanning
- kube-hunter (vulnerability scanner)
- Trivy (misconfiguration audit)
- kubeletctl (kubelet API testing)
- kubectl plugins (rbac-lookup, who-can)
Exploitation & Post-Exploitation
- Peirates (K8s attack framework)
- kubesploit (post-exploitation)
- kdigger (container breakout)
- Falco (runtime detection evasion)
Pentest Methodology Checklist
K8s Security Assessment Phases
External Recon
Access Testing
Exploitation
Post-Exploitation
Post-Exploitation Focus
After initial access, focus on these high-value targets:
- Secrets: kubectl get secrets --all-namespaces
- Service Accounts: Overprivileged tokens for lateral movement
- Persistence: DaemonSets, CronJobs, static pods, admission webhooks
Key Recommendations
After testing, prioritize these mitigations:
- Implement Pod Security Standards at "Restricted" level
- Disable anonymous authentication on all components
- Use network policies for micro-segmentation
- Enable comprehensive audit logging
Conclusion
Kubernetes penetration testing requires specialized knowledge of container orchestration, cloud-native security, and attack techniques. The vast attack surface—from API servers to container runtimes—demands thorough assessment methodologies and the right tools.
Default configurations are often insecure, and misconfigurations are prevalent. Regular security assessments are essential for maintaining a secure Kubernetes environment.
Tags
Written by
Asfaleia Team
Principal Security Consultant
Offensive security specialist with expertise in Kubernetes, container security, and cloud-native penetration testing.