Controller of pods with impersonation privileges service account

Lateral movement

Controller of pods with impersonation privileges service account

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

Brazilian General Data Protection (LGPD)
CCPA
CPRA
essential_8_au
GDPR
ISO/IEC 27001
K8s OWASP Top 10
Mitre ATT&CK
New Zealand Information Security Manual
NIST 800-171
NIST 800-190
NIST 800-53
PDPA
UK Cyber Essentials

Description

Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods that can impersonate other service account/users/groups in the {K8sController.PodSpec.K8sCluster} cluster. An attacker with access to the pod's container can extract the service account token and impersonate to it in order to impersonate a stronger identity and gain a stronger foothold of the {K8sController.PodSpec.K8sCluster} cluster.

Recommended Mitigation

Consider changing {K8sController}'s role according to the least privilege principle.

Controller of pods with impersonation privileges service account

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS