Kubernetes Namespace Escalation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

In Kubernetes it's pretty common that somehow you manage to get inside a namespace (by stealing some user credentials or by compromising a pod). However, usually you will be interested in escalating to a different namespace as more interesting things can be found there.

Here are some techniques you can try to escape to a different namespace:

Abuse K8s privileges

Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like creating pods with service accounts in the NS, executing a shell in an already existent pod inside of the ns, or read the secret SA tokens.

For more info about which privileges you can abuse read:

pageAbusing Roles/ClusterRoles in Kubernetes

Escape to the node

If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:

  • Check for SAs tokens mounted in other docker containers running in the node

  • Check for new kubeconfig files in the node with extra permissions given to the node

  • If enabled (or enable it yourself) try to create mirrored pods of other namespaces as you might get access to those namespaces default token accounts (I haven't tested this yet)

All these techniques are explained in:

pageAttacking Kubernetes from inside a Pod
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated