Lateral movement

Controller of pods with the ability to read secrets

Risk Level

Hazardous (3)

  • N/A

Compliance Frameworks


Controllers are responsible for pods state using a declaration of pod definition. Pods utilize a service account associated with them to communicate with the Kubernetes API, and that service account is mounted by default to any newly created containers. Orca has detected that the Controller {K8sController} creates pods with role that allows reading secrets in {K8sController.PodSpec.Namespace} namespace or {K8sController.PodSpec.K8sCluster} cluster. An attacker with access to the pod's container can extract the service account tokens of other service accounts and impersonate them as well as having access to sensitive data stored in secrets in {K8sController.PodSpec.K8sCluster} cluster.
  • Recommended Mitigation

    Consider to remove the rule that allows {K8sController} to read secrets