H3-2022-0092¶

Kubernetes Remote Code Execution with Service Token

Description¶

Service account tokens can be used to gain unauthorized access to the Kubernetes API. Depending on the permissions of the token, an attacker can gain remote code execution inside of a cluster container.

Impact¶

An attacker can use a service account token to execute remote code in cluster containers via requests to the API Server.

References¶

• Configure Service Accounts for Pods
• Using RBAC Authorization
• CIS Benchmarks: Securing Kubernetes
• MITRE ATT&CK Technique: T1609: Container Administration Command