Do you test Pod Security Standards?

Yes. Restricted, Baseline, and Privileged profile gaps are scored per namespace. Each gap cites the PSS rule and the ACSC container guidance section.

How do you handle admission controllers?

OPA / Gatekeeper and Kyverno policies are reviewed for ASD ISM separation of duties and least-privilege. Missing controls are graded as policy gaps.

What about workload identity to cloud APIs?

IRSA, Workload Identity, and Azure Workload Identity trust chains are tested. Cross-cloud federation is flagged for APP 8 disclosure.

Can findings feed an Essential 8 ML2 attestation?

Yes. Application control (Strategy 1) and patching (Strategy 2) evidence covers image scanning and node patching cadence.

Kubernetes Penetration TestingTrace the pivot paths before someone else does.

SecureLayer7 testers abuse Kubernetes the way a motivated actor does after they already have a foothold: reachable kubelets, RBAC verbs that chain to cluster-admin, admission stacks that look fine on paper, and tokens that survive longer than the pod. You get ranked chains with manifests, kubectl transcripts, fixes written for platform engineers, and a re-test so audit sees proof, not debate.

See the cluster pivot paths

Four cluster planes, control plane, identity, supply chain, and the highlighted workload, converging on a privileged-pod escape proof card showing root on the host.

Cluster-internal vantage

We start from workloads and identities your threat model already treats as risky, then move toward control plane and supply-chain edges. Not a perimeter-only review.

Working proof-of-exploit

Manifests, commands, and remediation your engineers can drop straight into tickets. Not a passing CIS row that still leaves cluster-admin within reach.

Re-test included

After you ship patches, we re-run the chain. Written confirmation for each closed pivot, at no extra fee.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why benchmarks greenwash risk

Clean CIS rows do not erase cluster-admin routes. Chained pivots do.

kube-bench, Trivy, and CIS profiles grade configuration snapshots. They rarely prove chained impact: compromised workload, abused kubelet API, lateral hops across namespaces, cluster-admin. We string those steps the way an adversary would, so platform leads and auditors get a narrative they can follow without guessing.

Two columns, passing config-audit findings on the left, and the chained pivot path each one becomes during a manual cluster pentest on the right.

POD-ESCAPE PATHS.

Where a misconfigured cluster gives an attacker root on the host.

01
hostPath to node root
Pod mounts / from the host, attacker writes to /etc/kubernetes/manifests, static-pod becomes a privileged kubelet workload.
02
Privileged pod escape
securityContext.privileged true, capabilities SYS_ADMIN, mount cgroups release_agent, execute on the node as root.
03
Service-account token theft
Auto-mounted token in a compromised pod, kubectl auth can-i wildcard, list secrets across every namespace.
04
Kubeconfig from disk
Developer kubeconfig left in a CI runner image, cluster-admin context survives image rebuild, attacker reuses it from outside.
05
etcd direct read
etcd endpoint exposed on the control-plane subnet without client-cert auth, dump every Secret object in plaintext.
06
Admission webhook bypass
ValidatingAdmissionWebhook fail-open on timeout, attacker submits a Pod that the policy would have blocked.
07
Ingress mTLS gap
Internal service trusts the ingress identity, attacker who reaches the service mesh from a sidecar replays cluster-internal calls.

Scope ,

Four cluster planes. One engagement.

Most cluster reviews stop at isolated findings. We chain control plane exposure, workload breakout, identity and secrets, and supply-chain trust in one engagement, mapped to your topology and exercised manually against the bug classes that appear once an attacker already has a foothold.

Control plane

kube-apiserver anonymous-auth, etcd 2379 exposure, kubelet 10250 unauth, scheduler / controller-manager metrics leak, admission-webhook race, audit-policy gap, /healthz info disclosure, in-cluster API server SSRF.

Workload & data plane

Privileged-container escape, hostPath / hostNetwork / hostPID abuse, SYS_ADMIN & NET_RAW capability misuse, missing seccomp / AppArmor, PodSecurityStandards bypass, NetworkPolicy default-allow, sidecar trust-boundary leak, ConfigMap secrets leak.

Identity, RBAC & secrets

ServiceAccount token theft and replay, escalate / impersonate / bind verb chaining, over-scoped ClusterRoleBinding, projected-token reuse across namespaces, IRSA / Workload-Identity confusion, External-Secrets misconfig, kubectl auth can-i blind spots.

Supply chain

Mutating-webhook abuse, unsigned-image admission, ImagePullSecret leak, base-image typosquat, SBOM tampering, GitOps repo and pipeline takeover, Helm-chart values injection, registry-credential reuse across clusters.

KUBERNETES METHODOLOGY.

Eight phases. Threat-modelled to your cluster.

Scoped to your topology, namespaces, RBAC graph, admission controllers, and how images actually ship. We stress APIs, controllers, workloads, and pipelines until impact is demonstrated or ruled out. Deliverables include prerequisites, blast radius, and remediation sized for how your platform team ships change.

01
Scope & threat-model
02
Recon & enumeration
03
Configuration review
04
Identity & RBAC exploitation
05
Workload & cluster exploitation
06
Supply chain & admission
07
Remediation guidance
08
Patch verification

Insights

Kubernetes security Resources.

Notes from operators who publish CVE research and ship fixes in the open: Kubernetes hardening, exploit chains, and lessons from real cluster engagements.

Kubernetes

Securing Kubernetes clusters with RBAC policies

Tightening Kubernetes RBAC so service accounts, roles, and namespaces stop becoming lateral-movement primitives.

Kubernetes

Kubernetes security: 5 practices to follow

Pod security, network policies, image provenance, secrets handling, and audit logging for production K8s clusters.

Kubernetes

CISO view: Kubernetes pentest findings

Webinar walk-through of real Kubernetes pentest findings: container escapes, kubelet exposure, and secret leakage.

Meet our engagement lead

Engagement lead. John Dill.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John owns Kubernetes engagements from scope to re-test. Topology and RBAC graph become the test plan your platform org recognises. He stays through live walkthroughs, remediation, and re-test.

Scopes EKS, AKS, GKE, and self-managed clusters against how you run production, not a generic checklist.
Runs kick-off, mid-engagement reviews, and live demos for every material finding.
Closes the loop on remediation and re-test until pivot paths are demonstrably gone.

SL7 Lab. Published CVE research.

When your next board or audit cycle asks how far someone moves from one bad pod, book 30 minutes with John. Topology, RBAC graph, and timeline on one call.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant k8s, namespace isolation drift, service-mesh boundaries.

See Tech SaaS pentest

FinTech

Banking workloads on k8s, secret-rotation, PCI segmentation in service mesh.

See FinTech pentest

HealthTech

HIPAA-aligned k8s workloads, PHI-handling pods, audit-log retention paths.

See HealthTech pentest

Built for Australia engagements

What changes when we deliver here.

Regulatory framework
ACSC container security guidance map
Compliance scoping
PSS Restricted / Baseline score per namespace
Local engagements
Logistics SaaS — 14 clusters, 220+ namespaces
Local pricing
AUD per-cluster scoping, GST inclusive option
Compliance scoping
Essential 8 Strategy 1 + 2 evidence pack

Questions Australian platform engineers ask first.

Do you test Pod Security Standards?
Yes. Restricted, Baseline, and Privileged profile gaps are scored per namespace. Each gap cites the PSS rule and the ACSC container guidance section.
How do you handle admission controllers?
OPA / Gatekeeper and Kyverno policies are reviewed for ASD ISM separation of duties and least-privilege. Missing controls are graded as policy gaps.
What about workload identity to cloud APIs?
IRSA, Workload Identity, and Azure Workload Identity trust chains are tested. Cross-cloud federation is flagged for APP 8 disclosure.
Can findings feed an Essential 8 ML2 attestation?
Yes. Application control (Strategy 1) and patching (Strategy 2) evidence covers image scanning and node patching cadence.

Delivery in Australia

ACSC containers. ASD ISM workload.

Cluster, pod, and supply-chain findings cite ACSC container security guidance. Runtime gaps map to ASD ISM application control and software development clauses.

Direct line: +61-2-0000-0000
Office: Sydney, Australia

Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.

Sample Kubernetes pentest report, kill-chain · evidence · remediation

Sample engagement report

See a manifest-led kill chain auditors can follow.

The sample pack walks YAML-shaped edges, RBAC escalation, and the shortest path from workload compromise to cluster-wide impact. Redacted from real engagements, formatted for risk and audit readers. Sent after a short scoping call so examples match your environment.