From Pod to Node: Container Escape Fundamentals
What we look for first when we land a shell inside a Kubernetes pod during a cloud assessment — and the hardening that closes each path.
A foothold in a single container is rarely the end of a cloud engagement. The real question is what that container can reach. Our triage focuses on the handful of misconfigurations that turn a pod into node — and node into cluster.
The first five checks
- Is the container privileged or running as root?
- Are dangerous capabilities (SYS_ADMIN) granted?
- Is the host filesystem or Docker socket mounted in?
- Is hostPID / hostNetwork enabled?
- Is the service-account token over-permissioned?
bash# enumerate the service account's reach (authorized testing only) kubectl auth can-i --list \ --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
Why these matter
Each item collapses the boundary between workload and host. A mounted host path or socket is effectively root on the node. An over-scoped token can create privileged pods and pivot across the cluster.
Hardening
Apply restrictive Pod Security Standards, drop all capabilities by default, never mount the host socket, and scope service accounts to least privilege. Defense in depth means an escape attempt hits a wall at every layer.
root@offseccodes:~$ ./engage.sh
Want this tested on your own systems?
We run authorized assessments that find exactly these issues before attackers do.
Start an engagement