Back to Documentation

Kubernetes Security Basics: A Pentester's Guide

Release Date: June 15th, 2025

Introduction

Kubernetes (K8s) is a leading platform for orchestrating containerized applications, enabling scalability and automation. However, its complexity introduces significant security risks. This guide, tailored for Aegisbyte's audience, explores Kubernetes security from a penetration tester's perspective, highlighting key vulnerabilities and best practices to secure clusters.

Understanding Kubernetes Architecture

Kubernetes operates as a distributed system with components that manage containerized workloads. Key elements include:

  • Control Plane: Manages the cluster, comprising:
    • API Server: The central hub for cluster communication.
    • etcd: A key-value store for cluster data.
    • Controller Manager: Oversees controllers for maintaining desired states.
    • Scheduler: Assigns workloads to nodes.
  • Worker Nodes: Host application workloads, including:
    • Kubelet: Manages containers on a node.
    • Kube-Proxy: Handles networking and load balancing.
    • Container Runtime: Executes containers (e.g., Docker, containerd).
  • Pods: The smallest deployable units, containing one or more containers.

This architecture, while powerful, exposes attack surfaces if misconfigured. For example, an exposed API server or overly permissive Role-Based Access Control (RBAC) can lead to cluster compromise.

Kubernetes Architecture

Detailed Kubernetes Architecture Diagram showing API Server, etcd, Cloud Controller Manager, Scheduler, Controller Manager, kubelet, kube-proxy and Worker Nodes
Comprehensive Kubernetes architecture showing control plane components and worker nodes with their interactions
Tap or click on the diagram to view full-sized version

Common Attack Vectors

Penetration testers target several areas in Kubernetes clusters:

Misconfigured RBAC

Overly permissive roles or cluster roles allow unauthorized access to resources.

Example: A service account with cluster-admin privileges can be exploited to control the entire cluster.

Exposed Control Plane

Unsecured API servers (e.g., open to the internet without authentication) allow attackers to manipulate cluster resources.

Default credentials or weak authentication mechanisms are common vulnerabilities.

Pod Security Issues

Privileged pods or containers running as root can enable container escape attacks.

Misconfigured security contexts may allow attackers to access host resources.

Network Vulnerabilities

Lack of network policies can allow lateral movement within the cluster.

Exposed services via insecure ports or misconfigured ingress controllers are entry points.

Secret Management

Secrets stored in plain text or accessible via misconfigured RBAC can leak sensitive data like API keys or database credentials.

Secrets are often a prime target for attackers seeking to escalate privileges.

Penetration Testing Methodology

A structured approach to pentesting Kubernetes clusters includes:

  1. Reconnaissance

    • Identify exposed endpoints (e.g., API server, kubelet ports) using tools like nmap or kube-hunter.
    • Enumerate cluster resources with tools like kubectl to map roles, services, and pods.

  2. Access Enumeration

    • Check RBAC policies for overprivileged roles using tools like KubiScan or rbac-tool.
    • Look for service accounts with excessive permissions (e.g., ability to create pods or access secrets).

  3. Exploitation

    • Attempt to exploit misconfigured RBAC to escalate privileges.
    • Test for container escape by exploiting privileged pods or misconfigured security contexts.
    • Access sensitive data via exposed secrets or misconfigured storage.

  4. Post-Exploitation

    • Move laterally within the cluster by exploiting weak network policies.
    • Persist access by creating backdoors (e.g., malicious pods) or modifying existing workloads.

Kubernetes Threat Matrix

The Microsoft Threat Matrix for Kubernetes provides a structured framework for understanding attack techniques across the MITRE ATT&CK lifecycle. Key categories include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection and Exfiltration.

This matrix, adapted for Aegisbyte, is implemented as an interactive component below to help visualize and prioritize threats. Click on any technique to see more details about that attack vector:

Microsoft Threat Matrix for Kubernetes

Interactive exploration of attack techniques across the MITRE ATT&CK lifecycle

🔓
Initial Access
High
Exposed API ServerCritical

Attackers exploit unsecured API servers to gain cluster access.

Compromised CredentialsHigh

Stolen tokens or certificates provide unauthorized access.

Execution
Critical
Malicious Pod ExecutionHigh

Running malicious code within a pod.

Container EscapeCritical

Exploiting misconfigured containers to access the host.

🔒
Persistence
High
Rogue Pod CreationHigh

Deploying malicious pods for sustained access.

RBAC ModificationCritical

Altering roles to maintain control.

⬆️
Privilege Escalation
Critical
Overprivileged Service AccountCritical

Exploiting accounts with excessive permissions.

ClusterRole AbuseHigh

Using misconfigured cluster roles to gain higher privileges.

🛡️
Defense Evasion
High
Bypass Pod SecurityHigh

Evading Pod Security Standards or policies.

Disable AuditingCritical

Turning off audit logs to hide activities.

🔑
Credential Access
High
Secret TheftCritical

Accessing sensitive data from Kubernetes secrets.

Token ExtractionHigh

Stealing service account tokens from pods.

🔍
Discovery
Medium
Resource EnumerationMedium

Listing pods, services, or roles to identify targets.

Network MappingMedium

Discovering network policies and open ports.

↔️
Lateral Movement
High
Pod-to-Pod MovementHigh

Exploiting weak network policies to access other pods.

Node CompromiseCritical

Moving from a pod to the underlying node.

📤
Collection and Exfiltration
High
Data CollectionHigh

Gathering sensitive data from pods or storage.

Data ExfiltrationHigh

Transferring stolen data out of the cluster.

Best Practices for Securing Kubernetes

To mitigate risks, implement these security measures. Click on any practice for detailed implementation steps, security impact, and additional resources.

Enforce Pod SecurityWorkload SecurityIntermediate
Harden RBACAccess ControlIntermediate
Implement Network PoliciesNetwork SecurityIntermediate
Manage Secrets SecurelyData SecurityAdvanced
Monitor and AuditObservabilityBasic
Secure the Control PlaneInfrastructureAdvanced

Interactive Tools for Pentesting and Hardening

These tools help security professionals test and secure Kubernetes environments. Click on each tool to view installation instructions, usage examples, and documentation links.

Filter tools by category:

🔍

Kube-Hunter

Identifies vulnerabilities in Kubernetes clusters by actively hunting for security issues.

Penetration Testing
🔐

KubiScan

Analyzes RBAC configurations for risky permissions that could lead to privilege escalation.

Penetration Testing
🛡️

Trivy

Scans container images for vulnerabilities, helping prevent vulnerable containers from being deployed.

Pentesting & Hardening
📋

Kube-Bench

Checks compliance with CIS Kubernetes Benchmarks, providing guidance on hardening.

Hardening
👁️

Falco

Provides runtime security monitoring, detecting anomalous behavior in containers and hosts.

Hardening
🔎

Kubeaudit

Audits Kubernetes clusters for common security issues and misconfigurations.

Pentesting & Hardening

Conclusion

Kubernetes offers immense flexibility but demands rigorous security practices. By understanding its architecture, mapping threats using the Threat Matrix, and applying best practices, organizations can secure their clusters against attacks.

Aegisbyte recommends regular pentesting and continuous monitoring to stay ahead of evolving threats. The complexity of Kubernetes requires a defense-in-depth approach, addressing vulnerabilities at multiple layers.

For more information on securing your Kubernetes environments or to schedule a security assessment, contact Aegisbyte at security@aegisbyte.com.

References

Stay Updated on Kubernetes Security

Subscribe to receive the latest documentation updates, vulnerability notifications, research findings, and proof-of-concept demonstrations from our security experts.