Containers · Term

What is a privileged pod?

A privileged pod is the Kubernetes version of a privileged container, a pod whose security context removes isolation and opens a path to the node. Here is what makes a pod privileged and why it is a cluster risk.

Containers · TermCloud Penetration Testing
TL;DR

A privileged pod is a Kubernetes pod whose security context weakens isolation, most directly with securityContext.privileged: true, but also via hostPID/hostNetwork, host-path mounts, allowPrivilegeEscalation, or added capabilities. Such a pod can usually escape to its node, and from the node reach other pods and the control plane. Because any identity that can create pods can request a privileged one, privileged pods are both a direct escape and an RBAC escalation target. Pod Security Standards exist to block them.

By John Dill, Red Team Lead, SecureLayer7Updated

What a privileged pod is

A pod’s `securityContext` controls how isolated its containers are. A privileged pod is one configured to give up that isolation:

Any of these moves the pod toward having host-level reach.

How it is abused

Privileged pods are abused two ways:

  • Direct escape: a workload that is already privileged is compromised, and the attacker escapes to the node (mount the host disk, abuse capabilities) then harvests other pods’ tokens.
  • RBAC escalation: an identity that can create pods but is otherwise limited requests a new privileged pod (or one mounting the node), schedules it, and uses it to break out, turning "can create pods" into "owns the node". See RBAC.

Documented techniques shown for defenders.

How to defend

  • Enforce Pod Security Standards (restricted) and admission control to reject privileged pods, host namespaces, and host mounts.
  • Set `allowPrivilegeEscalation: false`, drop all capabilities, run as non-root, read-only root filesystem.
  • Limit who can create pods and in which namespaces via RBAC.
  • Audit running pods for privileged security contexts.
  • Test the cluster for the create-pod-to-node-escape path.

References

  1. [1]Kubernetes docs: Pod Security Standards(Kubernetes)
  2. [2]MITRE ATT&CK: Containers Matrix(MITRE)
  3. [3]NIST SP 800-190 Application Container Security Guide(NIST)
Related terms

Common questions

Container security, asked often

Want your containers and clusters tested for these paths?

Scope an engagement

Find the container escape paths before an attacker does.

We test your Docker hosts and Kubernetes clusters the way a real intruder would, from a compromised pod to the node and the rest of the cluster, then hand your team reproducible evidence and a fix for every step. Free re-test included.

See cloud penetration testing30-min scoping call, fixed-price proposal in 48 hours.