K-ADMISSION-WEBHOOKPersistence

Malicious Admission Webhook

Create / hijack a ValidatingWebhookConfiguration to intercept every API call — credential & secret harvesting.

§ Where this technique fits

K-ADMISSION-WEBHOOK is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 6.5 on average.

§ Dossiers chaining this technique

Exposed etcd → cluster-wide secret raid
etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin.
step 6 / 6
Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
step 7 / 7

§ Where this technique fits

§ Dossiers chaining this technique

Exposed etcd → cluster-wide secret raid

Privileged pod escape → cluster admin