Topics
Reference materials covering offensive and defensive Kubernetes security techniques
Total
26
MITRE ATT&CK mapped
16
Offensive
16
Defensive
10
Latest topics
Showing 26 topics
Browse topics
Abusing Kubernetes API Server Proxy
Bypassing network policies and accessing internal services through the Kubernetes API server proxy subresource
Abusing Kyverno MutatingPolicy
How MutatingPolicy access can be abused to change pods during admission in Kyverno
Cluster Reconnaissance via Prometheus
Querying an unauthenticated Prometheus endpoint to map cluster topology without touching the Kubernetes API
Compromising etcd via Pod Creation
Steal etcd TLS via pod hostPath on the control plane
Data Exfiltration via Kubernetes Events
How attackers can misuse Kubernetes Events to move data out after cluster compromise
Detecting Data Exfiltration via Kubernetes Events
Identifying abuse of the Kubernetes Events API to smuggle data out of a cluster through event message fields
Detecting Impersonation Abuse
Identifying impersonation abuse by inspecting the impersonatedUser audit field and reviewing which subjects hold the impersonate verb
Detecting kubectl debug Activity via Audit Logs
Identifying ephemeral container injection and node debug pod creation through API server audit events
Detecting Orphan Pod Masquerading via Audit Logs
Identifying pods that mimic controller-managed naming patterns but were created directly by a user rather than a controller
Detecting Permission Enumeration via Audit Logs
Spotting enumeration of current RBAC access by auditing SelfSubjectRulesReview events
Disable Automatic Mounting of Default Service Account Tokens
Preventing token theft by controlling service account token mounting
Enforcing Read-Only Container Filesystems
Prevent attackers from writing tools, backdoors, or scripts to a container's filesystem after gaining code execution
Hiding Services from Enumeration
Preventing internal service discovery by disabling automatic injection of service environment variables
Internal Cluster Discovery
Techniques for discovering available services, APIs, and potential attack vectors within a Kubernetes cluster
Kubernetes Impersonation
Abusing the impersonate verb and Impersonate-* headers so the API server authorizes requests as another user, group, or ServiceAccount
Orphan Pod Masquerading
Creating orphan pods that mimic controller-managed naming conventions to blend in with legitimate workloads
Passive Secret Discovery via kube-state-metrics
Passively discovering secret names, namespaces, and metadata cluster-wide by querying the unauthenticated kube-state-metrics endpoint
Persistence via Unbound Service Account Tokens
Using unbound tokens from the TokenRequest API to maintain cluster access after deleting the attacking pod
Privilege Escalation via serviceaccounts/token Permission
How create permission on the serviceaccounts/token subresource enables acquiring tokens for more privileged service accounts without pods or Secrets
Restricting Prometheus Endpoint Access
Preventing unauthenticated access to Prometheus metrics that expose cluster topology, pod identities, and internal service addresses
Rogue Static Pod Deployment
Deploying static pod manifests that bypass API server admission to run containers invisible to kubectl and API-based monitoring
Securing ArgoCD Application Access
Restrict ArgoCD RBAC, enforce AppProject boundaries, and block privileged workload deployment through the ArgoCD confused deputy attack path
ServiceAccount Token Theft
Techniques for obtaining ServiceAccount tokens using legitimate Kubernetes features without exploiting vulnerabilities
Weaponizing ArgoCD Application
Abusing ArgoCD as a confused deputy to deploy disguised privileged workloads cluster-wide and maintain persistent access
Weaponizing kubectl debug
Why kubectl debug is a privilege escalation path, not just a troubleshooting tool
Weaponizing Pod Creation Access
How pod creation permissions can be leveraged to escalate privileges and escape to the underlying node
No topics found matching your filters.
Try another keyword, or clear filters to see everything again.