can-i gtfo?

Kubernetes RBAC Abuse Collection

View on GitHub

update pods

Verb: update

Resource: pods

Description: Update existing Kubernetes pods

Abuses

Container Escape

Update pod to run with privileged access (BadPod) and escape container boundaries

# Update pod to run as privileged
# Update pod to add host filesystem mounts

Lateral Movement

Update pod to 1. execute arbitrary code 2. change its labels to trigger its eviction until it is assigned to an attacker controlled node (Can be combined with the abuse of 'update/patch nodes' or 'update/patch nodes/status' permissions to prevent pods being assigned to non-attacker controlled nodes)

← Back to overview