Home Resources Blog The Reconnaissance Playbook of a Kubernetes Attacker
Cloud Security

The Reconnaissance Playbook of a Kubernetes Attacker

As Kubernetes gained widespread adoption in production environments, it became more attractive to attackers. Its distributed and dynamic nature made it a favorite for scalable and flexible containerized applications, but it also introduced some vulnerabilities and misconfigurations that can be exploited.

For an attacker looking to exploit a Kubernetes cluster, reconnaissance is a critical first step. This is where they map the environment, identify entry points, and plan exploits.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

In this article, you’ll look over the shoulder of an attacker to learn the Kubernetes reconnaissance playbook so you can secure your Kubernetes clusters against these threats.

Setting the Scene for Reconnaissance in Kubernetes

Reconnaissance is how attackers gather critical information about a Kubernetes cluster — its structure, components, and potential weaknesses. Speaking of components, we need to understand what they are and how they interconnect to fully grasp how attackers conduct recon.

The components include:

  1. Container: Containers are lightweight, portable units that encapsulate application code and its dependencies. While they are designed to be isolated, misconfigurations can expose critical information, such as:
    • Kubernetes API server IP addresses (KUBERNETES_SERVICE_HOST).
    • Ports used by the cluster (KUBERNETES_SERVICE_PORT).
    • Service credentials or access tokens inadvertently embedded in application config files.
  2. Pod: A pod is the basic deployable unit in Kubernetes, consisting of one or more containers that share storage and network resources. Attackers often focus on pods to explore inter-container communications.
  3. Service Account: Service accounts act as digital identities for pods, enabling them to interact with the Kubernetes API. Over-permissioned service accounts can be exploited to access cluster-wide resources. Attackers use service account tokens to:
    • Query the Kubernetes API for cluster-wide information.
    • Execute commands on other pods, gaining lateral access.
  4. Deployment: Deployments manage pods and ensure they run according to specified configurations. Attackers may target deployments to manipulate the application’s scale or behavior.
  5. Namespace: Namespaces logically partition the cluster, grouping resources for different teams or environments. By enumerating namespaces, attackers can gain a better understanding of the cluster’s organization.
  6. Node: Nodes are physical or virtual machines that host pods. They provide the compute power behind the cluster and may expose vulnerabilities through misconfigurations or outdated software.
  7. Cluster: A cluster is a collection of nodes working together as a cohesive unit, orchestrated by Kubernetes to deploy, manage, and scale containerized applications. Attackers focus on clusters to map resources and identify weak points.

The Kubernetes Reconnaissance Playbook

After gaining access to a container, whether through phishing attacks, unsecured network endpoints, or some other way, attackers deploy a series of commands and tools to perform reconnaissance:

1. Locating Kubernetes-related files

Attackers search the file system for directories containing Kubernetes data:

root@container:/# find / 2>/dev/null | grep -i kube 
/run/secrets/kubernetes.io /run/secrets/kubernetes.io/serviceaccount /run/secrets/kubernetes.io/serviceaccount/namespace 
/run/secrets/kubernetes.io/serviceaccount/ca.crt 
/run/secrets/kubernetes.io/serviceaccount/token

Finding these files confirms the presence of Kubernetes and reveals sensitive details like the service account token.

2. Enumerating environment variables

With the environment variables listed, attackers can find cluster-specific information:

root@container:/# env | grep -i kube KUBERNETES_SERVICE_PORT_HTTPS=443 
KUBERNETES_SERVICE_PORT=443 KUBERNETES_PORT_443_TCP=tcp://10.33.144.1:443 
KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=10.33.144.1 KUBERNETES_SERVICE_HOST=10.33.144.1 KUBERNETES_PORT=tcp://10.33.144.1:443 
KUBERNETES_PORT_443_TCP_PORT=443

This will reveal the Kubernetes API server’s IP, which attackers can use to query the cluster.

3. Querying the Kubernetes API

Using service account tokens, attackers can query the API to map the cluster.

Common API paths queried include:

  1. Namespaces: /api/v1/namespaces
  2. Pods in a Namespace: /api/v1/namespaces/$NAMESPACE/pods
  3. Nodes: /api/v1/nodes
# Get namespaces
https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/ 
# Get pods inside a namespace 
https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/$NAMESPACE/pods 
# Get service accounts 
https://$KUBERNETES_SERVICE_HOST/api/v1/serviceaccounts 
# Get nodes 
https://$KUBERNETES_SERVICE_HOST/api/v1/nodes 
# Get deployments 
https://$KUBERNETES_SERVICE_HOST/apis/apps/v1/deployments 
# Run a command on node curl -X POST -k -H 
"Content-Type: application/json" \ -H 
"Authorization: bearer 
$(cat /run/secrets/kubernetes.io/serviceaccount/token)" \ https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/$NAMESPACE/pods/$POD/exec?command=/bin/bash&stdin=true&stderr=true&stdout=true&tty=true

4. Network scanning

Network scans reveal accessible endpoints and open ports within the cluster:

5. Searching for docker socket files

Some containers may mount the Docker socket (docker.sock), allowing attackers to execute Docker commands and potentially escalate privileges:

root@container:/# find / -name docker.sock

What can you do to secure your Kubernetes cluster from an attacker’s recon?

How to Defend Against Kubernetes Reconnaissance

Securing Kubernetes against reconnaissance requires a proactive and multi-layered approach that shields your cluster from potential exploits.

Start by hardening your Kubernetes configurations. Restrict access to sensitive files and directories to prevent attackers from finding the critical data they contain. Implement strict Role-Based Access Control (RBAC) policies to ensure service accounts have only the permissions they need. No more than that. This way, you significantly reduce the risk of privilege escalation.

You also want to make it a habit to audit Kubernetes API access and logs regularly. Spotting unusual activity early can stop threats before they escalate into serious incidents.

Next, focus on network segmentation to limit an attacker’s ability to move laterally within your cluster. Apply network policies to control how pods communicate with each other and with external networks.

This isolation is crucial. For example, if an attacker compromises one pod, strong segmentation prevents them from accessing others. Adding ingress and egress rules further tightens security by restricting unnecessary traffic. These measures create a controlled network environment that makes reconnaissance efforts head-scratchingly difficult for attackers.

Monitoring is another prime defense strategy. It ensures threats are identified and neutralized before they escalate. To achieve this, deploy runtime security tools that detect anomalous activity in real time. Imagine spotting unauthorized API queries or unusual system calls early on. These are subtle, early signs of recon.

You can also use technologies like eBPF, which offers comprehensive visibility into both system and network events. With eBPF, you gain the ability to monitor threats as they happen, keeping an eye on your cluster’s health without impacting performance or adding operational overhead.

Finally, turn to cloud-native security platforms for comprehensive protection. These platforms, such as the partners we work with at GlobalDots, offer continuous monitoring and real-time threat detection across Kubernetes layers 3, 4, and 7. They don’t just alert you to problems; they help you prioritize risks by cutting through the noise to highlight the most critical issues.

Additionally, their automated response capabilities let you neutralize threats quickly, ensuring your Kubernetes environment stays resilient.

Combining these proactive measures forms a rigid defense that keeps your clusters secure and operational.

In Summary…

With immense power and flexibility in Kubernetes comes unique security challenges. Attackers’ reconnaissance efforts exploit vulnerabilities and misconfigurations to map the environment and plan their exploits.

But with your newfound understanding of their recon playbook and implementing strong security practices, you can proactively defend your clusters.

This blog post was written in collaboration with Upwind

Latest Articles

Cloud Security
Rotating Pen Test Vendors Isn’t the Best Approach: Here’s Why

How do organizations ensure their penetrating testing remains insightful and free from complacency? For many years, the answer was vendor rotation — the practice of changing pen test vendors every few years. But does this approach still make sense today? While it once served a crucial purpose, the administrative burden it creates can be significant. […]

30th January, 2025
Compliance Automation
How Yuki Achieved SOC 2 Compliance 6x Faster

Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

Itay Tal
16th September, 2024
Cloud Computing Cloud Security
AWS Innovations Decoded: GlobalDots’ Top 20 Picks

Join AWS experts from GlobalDots as they decode the top 20 cloud innovations you need to know in a 2 part Webinar. Gain insider insights on leveraging these transformative technologies to boost performance, tighten security, and reduce costs. Discover real-world applications to apply these advancements to your business. Reserve your spot now! ? Stay Ahead: Learn […]

Ganesh The Awesome
31st October, 2023
Cloud Security DevOps & Cloud Management
Innovative Cloud Strategy eBook

CIOs, Infrastructure Chiefs, IT, and Security Pioneers – This guide is more than just a document. It’s a strategic blueprint for your cloud journey, including concrete steps for migration, security strategies, and proven methods to optimize cost. We’re talking about real solutions for real challenges, such as: And yes, even – Discover not just security […]

Ganesh The Awesome
22nd October, 2023
Back to Resources

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services