Lateral movement

Controller of pods with impersonation privileges service account

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods that can impersonate other service account/users/groups in the {K8sController.PodSpec.K8sCluster} cluster. An attacker with access to the pod's container can extract the service account token and impersonate to it in order to impersonate a stronger identity and gain a stronger foothold of the {K8sController.PodSpec.K8sCluster} cluster.
  • Recommended Mitigation

    Consider changing {K8sController}'s role according to the least privilege principle.