OpenShift-Specific Attack Surface
OpenShift introduces unique attack vectors beyond standard Kubernetes, including Security Context Constraints, integrated OAuth, and Source-to-Image (S2I) builds.
Primary Attack Targets
SCC Misconfiguration
Bypass security constraints
OAuth System
Token theft & impersonation
Build System
S2I & BuildConfig exploits
Internal Registry
Image manipulation
Critical OpenShift Attack Vectors
- anyuid SCC - Run as root (UID 0) inside containers
- privileged SCC - Full host access for container escape
- OAuth tokens - Service account token theft from pods
- BuildConfig - Inject malicious code via build process
Penetration Testing Methodology
OpenShift Assessment Phases
Enumeration
SCC discovery, OAuth probing, user/group mapping
SCC Analysis
Identify overly permissive security context constraints
OAuth Attacks
Token theft, impersonation, credential harvesting
Build Exploitation
Malicious BuildConfig, S2I builder attacks
Post-Exploitation
Persistence, lateral movement, cluster takeover
SCC Attack Techniques
Security Context Constraints are the primary privilege boundary in OpenShift. Misconfigurations allow attackers to escalate from restricted containers to host-level access.
SCC Exploitation Techniques
SCC Discovery
SCC Bypass
Container Escape
OAuth & Authentication Attacks
OpenShift's integrated OAuth server provides centralized authentication, but misconfigurations create opportunities for credential theft and impersonation attacks.
Token Theft
Extract tokens from secrets, kubeconfig, or pod mounts
Impersonation
Use --as flag with stolen credentials
OAuth Client Abuse
Register malicious OAuth clients
Service Account Token
Access /var/run/secrets/kubernetes.io
HTPasswd Brute Force
Attack local authentication provider
OIDC Misconfiguration
Exploit weak token validation
OpenShift vs Kubernetes Attacks
Unique OpenShift Exploits
Build System Exploitation
BuildConfig Attack Vectors
- Git Source Injection - Modify source repository during build
- Malicious S2I Builder - Compromise the build image itself
- Build Strategy Override - Inject Docker/Custom strategies
- Registry Poisoning - Overwrite images in internal registry
Pentesting Tools & Commands
Enumeration
- oc whoami
- oc get scc
- oc auth can-i --list
- oc get oauth
Exploitation
- peirates
- kubeletctl
- kubectl-who-can
- kdigger
Post-Exploitation
- Token extraction
- Secret dumping
- Webhook persistence
- Backdoor images
Reporting
- MITRE ATT&CK mapping
- Risk scoring
- Remediation steps
- Executive summary
Key Takeaway
OpenShift penetration testing requires platform-specific expertise beyond standard Kubernetes attacks. Focus on SCCs, OAuth, and build systems as primary targets.
Tags
Written by
Asfaleia Team
Security Consultant
Offensive security specialist with expertise in container platform penetration testing and Red Team operations.