A Kubernetes pod, the smallest deployable unit of computing, is a group of one or more containers, such as Docker containers. When a pod runs multiple containers, the containers are managed as a single entity and share the pod's resources, such as storage and network services.
A container escape may allow an attacker to enter other containers in that pod. In the case of host mounting, where the Kubernetes host filesystem is mountable within a pod, an attacker may escape the container and access the host system.
Execute Operator’s Is my Kubernetes pod protected against host mounting?
TTP on each Kubernetes pod in your environment to test if you are vulnerable.
This chain is configured to test if host filesystem mounting is possible in the pod by attempting to mount it to a /host/
directory. If the host filesystem can be mounted, the TTP reads /etc/passwd
from the host and returns the output to Operator.
To protect yourself, it is recommended to not run your pods with privileged
mode on.
Check out the TTP Is my Kubernetes pod protected against host mounting? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec