This tactic includes techniques that enable attackers to gain additional or higher privileges in the environment. They can use these privileges to get access to more resources in the cluster or take other actions within the cluster. In containerized environments, they may get access to the node from a container.
A privileged container has all the capabilities of the host machine and none of the limitations of a regular container. If an attacker gains access to a privileged container or has the permissions to start a new privileged container, they can gain access to the host’s resources, or compromise other containers running on the same host.
Cluster-admin is a built-in high privileged role in Kubernetes. Users with this role have full access to the cluster, and can potentially compromise it. Attackers with RBAC (Role-based access control) permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin role or other roles with high privileges.
The hostPath volume mounts a file or directory from the host to the container. This can allow attackers to gain access to the underlying host or resources, break from the container to the host, or compromise other containers running on the same host.
Access Cloud Resources
An adversary may use this technique to gain access to a single container in a Kubernetes cloud cluster to access other cloud resources outside the cluster. For instance, if they gain access to the service principal credential file in Azure Kubernetes Service (AKS), they may be able to use these credentials to access or modify the cloud resources.