search
My Services

Kubernetes Pentesting

hashtag
Kubernetes Pentesting

https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-securityarrow-up-right

hashtag
Kubernetes Pentesting:

Kubernetes Basicsarrow-up-right

Pentesting Kubernetes Servicesarrow-up-right

Exposing Services in Kubernetesarrow-up-right

Attacking Kubernetes from inside a Podarrow-up-right

Kubernetes Enumerationarrow-up-right

Kubernetes Role-Based Access Control(RBAC)arrow-up-right

Abusing Roles/ClusterRoles in Kubernetesarrow-up-right

Kubernetes Namespace Escalationarrow-up-right

Kubernetes Pivoting to Cloudsarrow-up-right

Kubernetes Network Attacksarrow-up-right

Kubernetes Hardeningarrow-up-right

hashtag
Kubernetes Pentesting

Support HackTricks and get benefits!

hashtag
Kubernetes Basics

If you don't know anything about Kubernetes this is a good start. Read it to learn about the architecture, components and basic actions in Kubernetes:

Kubernetes Basicsarrow-up-right

hashtag
Labs to practice and learn

hashtag
Hardening Kubernetes / Automatic Tools

Kubernetes Hardeningarrow-up-right

hashtag
Manual Kubernetes Pentest

hashtag
From the Outside

There are several possible Kubernetes services that you could find exposed on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.

Depending on the configuration and your privileges you might be able to abuse that environment, for more information:

Pentesting Kubernetes Servicesarrow-up-right

hashtag
Enumeration inside a Pod

If you manage to compromise a Pod read the following page to learn how to enumerate and try to escalate privileges/escape:

Attacking Kubernetes from inside a Podarrow-up-right

hashtag
Enumerating Kubernetes with Credentials

You might have managed to compromise user credentials, a user token or some service account token. You can use it to talk to the Kubernetes API service and try to enumerate it to learn more about it:

Kubernetes Enumerationarrow-up-right

Another important details about enumeration and Kubernetes permissions abuse is the Kubernetes Role-Based Access Control (RBAC). If you want to abuse permissions, you first should read about it here:

Kubernetes Role-Based Access Control(RBAC)arrow-up-right

hashtag
Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:

Abusing Roles/ClusterRoles in Kubernetesarrow-up-right

hashtag
Privesc to a different Namespace

If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:

Kubernetes Namespace Escalationarrow-up-right

hashtag
From Kubernetes to the Cloud

If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to give a K8s SA permissions over the cloud.

Kubernetes Pivoting to Cloudsarrow-up-right

Last updated