Lateral Movement in the Kubernetes Cluster

8. Lateral Movement in the Kubernetes Cluster – ATT&CK® Matrix

MITRE’s ATT&CK®

Access Cloud Resources

Attackers may move from a compromised container to the cloud environment.





Container service account

Attackers who gain access to a container in the cluster may use the mounted service account token for sending requests to the API server and achieving access to additional resources in the cluster.

Cluster internal networking

Kubernetes networking behaviour allows traffic between pods in the cluster as a default behaviour. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.





Applications credentials in configuration files

Developers store secrets in the Kubernetes configuration files, for example, as environment variables in the pod configuration. Using those credentials attackers may gain access to additional resources inside and outside the cluster.

Writable volume mounts on the host

Attackers may attempt to gain access to the underlying host from a compromised container. (See “3: Writable hostPath mount” for more details.)





Access Kubernetes Dashboard

Attackers who have access to the Kubernetes dashboard may manage the cluster resources. And run their code on the several containers in the cluster using the built-in “exec” capability of the dashboard.

Access Tiller Endpoint

Helm is a popular package manager for Kubernetes maintained by CNCF. Tiller is the server-side component of Helm up to version 2.
Tiller reveals internal gRPC endpoint in the cluster, listens to port 44134. By default, this endpoint does not require authentication. Attackers may run code on any container that is accessible to the tiller’s service. And perform actions in the cluster, using the tiller’s service account, which often has great privileges.

