Read as
Last updated: April 29, 2026
Pod → node → cluster, service account tokens, RBAC paths, exposed kubelet/etcd. kube-hunter, peirates.
Kubernetes is a platform that runs other platforms. Complexity = attack surface. Every component — kubelet, API server, etcd, CoreDNS, service mesh proxies, ingress controllers, admission webhooks, operators — has its own attack surface. Misconfigurations span identity (RBAC), network (policies), workload (pod security), supply chain (images), and runtime (privilege escalation from pod).
Why K8s is complex to secure
- Default permissive — ServiceAccount tokens mounted into every pod, default namespace has broad defaults
- Every namespace is a boundary; not every team treats them as one
- RBAC has many verbs and resources; compound permissions unclear
- Admission controllers need careful configuration to prevent bypass
- Runtime privilege escalation paths exist for pods (hostPath mounts, privileged containers, CAP_SYS_ADMIN)
- Mesh side-car containers bypass many pod-level controls
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants