Attackers use persistence techniques to retain access to a Kubernetes cluster and maintain a presence within it, even if they lose their initial foothold. To do this, they may take advantage of Kubernetes controllers, mount a file to a container, or run recurring Kubernetes jobs.
An attacker could utilize Kubernetes controllers like DaemonSets or Deployments to ensure that a constant number of containers are always running in one or all nodes of the cluster. They may execute malicious code in a cluster container.
Writeable hostPath Mount
The hostPath volume mounts a file or directory from the host to the container. If the attacker has permission to create a new container in the cluster, they may do so with a writable hostPath volume. This allows them to persist on the underlying container host, for example, by creating a cron job on the host.
A Kubernetes Job controller creates one or more pods to accomplish a specific task. It also ensures that a specified number of pods terminate successfully. It may be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob creates Jobs on a recurring schedule. An attacker can leverage CronJob to schedule the execution of malicious code, which would run as a container in a cluster.
Malicious Admission Controller
A threat actor may use a malicious admission controller in Kubernetes to access credentials. One such controller is ValidatingAdmissionWebhook, a generic, built-in controller whose behavior is determined by an admission webhook deployed in the cluster. Attackers may use this webhook to intercept sensitive information like requests to the API server, and to record secrets.