Module 4 · Kubernetes Attack Surface

Last updated: April 29, 2026

Kubernetes is where 2024-2026 cloud security action is happening. Every Indian fintech, every serious SaaS, and most mature enterprises now run workloads on Kubernetes. And Kubernetes, by design, has the most complex security surface of any modern platform. The control plane, the worker nodes, the network fabric, the service mesh, the supply chain, the secrets, and the workloads themselves — all of them need dedicated security thinking.

This module is the attacker’s-eye-view of Kubernetes combined with the defender’s hardening playbook. By the end you will:

• Understand the K8s control-plane components and which ones are high-value targets
• Know the standard privilege-escalation paths from a compromised pod to cluster admin
• Apply the CIS Kubernetes Benchmark mental model to real clusters
• Recognise supply-chain attack vectors specific to container images and Helm charts
• Use the mature tooling (kubescape, kube-bench, Falco, Trivy) to audit and monitor

Control plane — the crown jewels

The Kubernetes control plane runs on master nodes (or as a managed service in EKS/AKS/GKE). Key components:

• kube-apiserver — the gateway. Every component talks to it. If compromised, everything is compromised
• etcd — the cluster state database. Stores every Secret, ConfigMap, Pod spec. Read access = cluster credential dump
• kube-scheduler — decides which node a pod runs on
• kube-controller-manager — runs controllers (deployment, replication, node lifecycle)
• cloud-controller-manager — integrates with cloud provider APIs

All of these communicate via mTLS. Compromising any one typically means the cluster is lost. In managed clusters (EKS/AKS/GKE), the provider runs the control plane. For self-managed clusters, protect master nodes at Tier-0 level: no interactive access, dedicated subnet, MFA-required SSH, continuous patching.