Question 1

What is a Kubernetes pod escape?

Accepted Answer

A Kubernetes pod escape is an attack where an adversary breaks out of a container's isolation to access the underlying host node or other containers. Common vectors include privileged containers, hostPath volume mounts, exposed Docker sockets, exploitable kernel vulnerabilities, and overly permissive service account tokens that allow cluster-wide API access.

Question 2

How do I prevent Kubernetes pod escapes?

Accepted Answer

Never run containers as privileged or as root. Use Pod Security Standards to enforce restrictions, disable automounting of service account tokens, avoid hostPath mounts and hostPID/hostNetwork settings, apply network policies, use seccomp and AppArmor profiles, scan images for vulnerabilities, and implement RBAC with least-privilege principles.

Kubernetes Pod Escape

Challenges

Frequently Asked Questions