Lateral movement

Controller of pods with role that allows the creation or modification of other pods


Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods that can create new pods or modify existing pods. An attacker with access to the pod's container can extract the service account token and impersonate to it to gain a persistence foothold of the {K8sController.PodSpec.K8sCluster} cluster.
  • Recommended Mitigation

    Consider changing {K8sController}'s role according to the least privilege principle.