Initial Access to the Kubernetes Cluster

Kubernetes-ATT&CK-Matrix
MITRE’s ATT&CK®
Cloud Credentials
The compromised cloud credential can direct to cluster takeover. It could lead access to the cluster’s management layer.
Example - Azure Kubernetes Service (AKS) in Microsoft Azure, Google Kubernetes Engine (GKP) in Google Cloud Platform (GCP), Elastic Kubernetes Service (EKS) in Amazon Web Services (AWS).
Compromised Images in Registry
Running a compromised image in a Kubernetes can arbitrate the entire cluster. Adversaries who gain access to a private registry can plant their arbitrary images in the container registry. Besides, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.
Building images based on untrusted base images leads to similar results.
Kubeconfig File
Kubectl is the KubeConfig file which contains details about Kubernetes Clusters such as the location and the credentials. If the client is insecure and adversaries gains access to it then they can compromise the Kubernetes.
Kubernetes Application Vulnerability
The public-facing vulnerable apps in a cluster enable primary foothold to the Kubernetes cluster. It could lead to Remote Code Execution and hence very well exploited. If the service account is mounted to the container which is the most default settings in the Kubernetes then requests can be sent to the API Server using the valid service account credentials.
Exposed Kubernetes Dashboard
The web-based user interface that enables monitoring and managing a Kubernetes cluster. By default, the dashboard exhibits an internal endpoint (ClusterIP service). If the dashboard is disclosed externally, it can allow unauthenticated remote administration of the cluster.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.