Kubernetes Cluster Attack
What is Kubernetes Cluster Attack?
Kubernetes Cluster AttackAn intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
A Kubernetes cluster attack targets the API server, kubelet, etcd, or the workloads themselves to gain code execution, steal secrets, or take over the cluster. Common entry points include exposed kube-apiserver without authentication, exposed kubelet read-write ports, vulnerable admission webhooks, stolen service-account tokens, and overprivileged pods. From an initial foothold, attackers chase paths such as pod-to-node via hostPath or privileged containers, service-account token replay against the API, or abuse of cluster-admin role bindings. Defences include strong RBAC, OIDC-based authentication, network policies, runtime security (Falco, Tetragon), admission controllers like Kyverno or OPA Gatekeeper, and signed, minimal container images.
● Examples
- 01
An exposed Kubelet API on port 10250 allows arbitrary exec into pods on the node.
- 02
A leaked service-account token grants list secrets across all namespaces.
● Frequently asked questions
What is Kubernetes Cluster Attack?
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes. It belongs to the Cloud Security category of cybersecurity.
What does Kubernetes Cluster Attack mean?
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
How does Kubernetes Cluster Attack work?
A Kubernetes cluster attack targets the API server, kubelet, etcd, or the workloads themselves to gain code execution, steal secrets, or take over the cluster. Common entry points include exposed kube-apiserver without authentication, exposed kubelet read-write ports, vulnerable admission webhooks, stolen service-account tokens, and overprivileged pods. From an initial foothold, attackers chase paths such as pod-to-node via hostPath or privileged containers, service-account token replay against the API, or abuse of cluster-admin role bindings. Defences include strong RBAC, OIDC-based authentication, network policies, runtime security (Falco, Tetragon), admission controllers like Kyverno or OPA Gatekeeper, and signed, minimal container images.
How do you defend against Kubernetes Cluster Attack?
Defences for Kubernetes Cluster Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kubernetes Cluster Attack?
Common alternative names include: K8s cluster compromise, Kubernetes intrusion.
● Related terms
- cloud-security№ 211
Container Escape
An exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 190
Cloud Token Theft
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- cloud-security№ 183
Cloud Data Exfiltration
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
- cloud-security№ 255
CSPM Finding
An alert produced by a Cloud Security Posture Management tool when a cloud resource violates a security benchmark, policy, or compliance rule.
● See also
- № 182Cloud Cryptojacking