Home Resources Blog The Reconnaissance Playbook of a Kubernetes Attacker
Cloud Security

The Reconnaissance Playbook of a Kubernetes Attacker

As Kubernetes gained widespread adoption in production environments, it became more attractive to attackers. Its distributed and dynamic nature made it a favorite for scalable and flexible containerized applications, but it also introduced some vulnerabilities and misconfigurations that can be exploited.

For an attacker looking to exploit a Kubernetes cluster, reconnaissance is a critical first step. This is where they map the environment, identify entry points, and plan exploits.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

In this article, you’ll look over the shoulder of an attacker to learn the Kubernetes reconnaissance playbook so you can secure your Kubernetes clusters against these threats.

Setting the Scene for Reconnaissance in Kubernetes

Reconnaissance is how attackers gather critical information about a Kubernetes cluster — its structure, components, and potential weaknesses. Speaking of components, we need to understand what they are and how they interconnect to fully grasp how attackers conduct recon.

The components include:

  1. Container: Containers are lightweight, portable units that encapsulate application code and its dependencies. While they are designed to be isolated, misconfigurations can expose critical information, such as:
    • Kubernetes API server IP addresses (KUBERNETES_SERVICE_HOST).
    • Ports used by the cluster (KUBERNETES_SERVICE_PORT).
    • Service credentials or access tokens inadvertently embedded in application config files.
  2. Pod: A pod is the basic deployable unit in Kubernetes, consisting of one or more containers that share storage and network resources. Attackers often focus on pods to explore inter-container communications.
  3. Service Account: Service accounts act as digital identities for pods, enabling them to interact with the Kubernetes API. Over-permissioned service accounts can be exploited to access cluster-wide resources. Attackers use service account tokens to:
    • Query the Kubernetes API for cluster-wide information.
    • Execute commands on other pods, gaining lateral access.
  4. Deployment: Deployments manage pods and ensure they run according to specified configurations. Attackers may target deployments to manipulate the application’s scale or behavior.
  5. Namespace: Namespaces logically partition the cluster, grouping resources for different teams or environments. By enumerating namespaces, attackers can gain a better understanding of the cluster’s organization.
  6. Node: Nodes are physical or virtual machines that host pods. They provide the compute power behind the cluster and may expose vulnerabilities through misconfigurations or outdated software.
  7. Cluster: A cluster is a collection of nodes working together as a cohesive unit, orchestrated by Kubernetes to deploy, manage, and scale containerized applications. Attackers focus on clusters to map resources and identify weak points.

The Kubernetes Reconnaissance Playbook

After gaining access to a container, whether through phishing attacks, unsecured network endpoints, or some other way, attackers deploy a series of commands and tools to perform reconnaissance:

1. Locating Kubernetes-related files

Attackers search the file system for directories containing Kubernetes data:

root@container:/# find / 2>/dev/null | grep -i kube 
/run/secrets/kubernetes.io /run/secrets/kubernetes.io/serviceaccount /run/secrets/kubernetes.io/serviceaccount/namespace 
/run/secrets/kubernetes.io/serviceaccount/ca.crt 
/run/secrets/kubernetes.io/serviceaccount/token

Finding these files confirms the presence of Kubernetes and reveals sensitive details like the service account token.

2. Enumerating environment variables

With the environment variables listed, attackers can find cluster-specific information:

root@container:/# env | grep -i kube KUBERNETES_SERVICE_PORT_HTTPS=443 
KUBERNETES_SERVICE_PORT=443 KUBERNETES_PORT_443_TCP=tcp://10.33.144.1:443 
KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_ADDR=10.33.144.1 KUBERNETES_SERVICE_HOST=10.33.144.1 KUBERNETES_PORT=tcp://10.33.144.1:443 
KUBERNETES_PORT_443_TCP_PORT=443

This will reveal the Kubernetes API server’s IP, which attackers can use to query the cluster.

3. Querying the Kubernetes API

Using service account tokens, attackers can query the API to map the cluster.

Common API paths queried include:

  1. Namespaces: /api/v1/namespaces
  2. Pods in a Namespace: /api/v1/namespaces/$NAMESPACE/pods
  3. Nodes: /api/v1/nodes
# Get namespaces
https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/ 
# Get pods inside a namespace 
https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/$NAMESPACE/pods 
# Get service accounts 
https://$KUBERNETES_SERVICE_HOST/api/v1/serviceaccounts 
# Get nodes 
https://$KUBERNETES_SERVICE_HOST/api/v1/nodes 
# Get deployments 
https://$KUBERNETES_SERVICE_HOST/apis/apps/v1/deployments 
# Run a command on node curl -X POST -k -H 
"Content-Type: application/json" \ -H 
"Authorization: bearer 
$(cat /run/secrets/kubernetes.io/serviceaccount/token)" \ https://$KUBERNETES_SERVICE_HOST/api/v1/namespaces/$NAMESPACE/pods/$POD/exec?command=/bin/bash&stdin=true&stderr=true&stdout=true&tty=true

4. Network scanning

Network scans reveal accessible endpoints and open ports within the cluster:

5. Searching for docker socket files

Some containers may mount the Docker socket (docker.sock), allowing attackers to execute Docker commands and potentially escalate privileges:

root@container:/# find / -name docker.sock

What can you do to secure your Kubernetes cluster from an attacker’s recon?

How to Defend Against Kubernetes Reconnaissance

Securing Kubernetes against reconnaissance requires a proactive and multi-layered approach that shields your cluster from potential exploits.

Start by hardening your Kubernetes configurations. Restrict access to sensitive files and directories to prevent attackers from finding the critical data they contain. Implement strict Role-Based Access Control (RBAC) policies to ensure service accounts have only the permissions they need. No more than that. This way, you significantly reduce the risk of privilege escalation.

You also want to make it a habit to audit Kubernetes API access and logs regularly. Spotting unusual activity early can stop threats before they escalate into serious incidents.

Next, focus on network segmentation to limit an attacker’s ability to move laterally within your cluster. Apply network policies to control how pods communicate with each other and with external networks.

This isolation is crucial. For example, if an attacker compromises one pod, strong segmentation prevents them from accessing others. Adding ingress and egress rules further tightens security by restricting unnecessary traffic. These measures create a controlled network environment that makes reconnaissance efforts head-scratchingly difficult for attackers.

Monitoring is another prime defense strategy. It ensures threats are identified and neutralized before they escalate. To achieve this, deploy runtime security tools that detect anomalous activity in real time. Imagine spotting unauthorized API queries or unusual system calls early on. These are subtle, early signs of recon.

You can also use technologies like eBPF, which offers comprehensive visibility into both system and network events. With eBPF, you gain the ability to monitor threats as they happen, keeping an eye on your cluster’s health without impacting performance or adding operational overhead.

Finally, turn to cloud-native security platforms for comprehensive protection. These platforms, such as the partners we work with at GlobalDots, offer continuous monitoring and real-time threat detection across Kubernetes layers 3, 4, and 7. They don’t just alert you to problems; they help you prioritize risks by cutting through the noise to highlight the most critical issues.

Additionally, their automated response capabilities let you neutralize threats quickly, ensuring your Kubernetes environment stays resilient.

Combining these proactive measures forms a rigid defense that keeps your clusters secure and operational.

In Summary…

With immense power and flexibility in Kubernetes comes unique security challenges. Attackers’ reconnaissance efforts exploit vulnerabilities and misconfigurations to map the environment and plan their exploits.

But with your newfound understanding of their recon playbook and implementing strong security practices, you can proactively defend your clusters.

This blog post was written in collaboration with Upwind

Latest Articles

Cloud Security
Closing the Gaps in API Security: How to Build Visibility and Protection for Modern Enterprises

APIs may be your organization’s greatest enabler, but without proper context, they can become its Achilles’ heel. APIs power modern digital ecosystems, connecting applications, enabling seamless machine-to-machine communication, and driving operational efficiencies. However, as APIs become the backbone of enterprises, they also represent an expanding attack surface — one that traditional Web Application and API […]

27th February, 2025
Cloud Cost Optimization Cloud Security
What are the biggest business worries in 2025?

No matter their industry or profession, practically every business in the UK and around the world has concerns for the year ahead. Whether it’s employee retention, rising costs, or simply finding new customers, each and every business owner has to make crucial decisions around these fears in order to successfully lead their company forward. However, […]

20th February, 2025
Cloud Security
From 2024 to 2025: The Evolving DDoS Threat Landscape

The numbers from the DDoS landscape tell a troubling story. In Q3 2024, DDoS attacks reached unprecedented levels, reaching a record-breaking Tbps and billion packet-per-second attack. These hyper-volumetric campaigns tested the resilience of global networks against attackers who are becoming faster, smarter, and more resourceful. They also became a wake-up call for IT leaders who […]

13th February, 2025
Cloud Security
Universal ZTNA: How Does it Compare to Traditional ZTNA?

How will you protect your network as cloud-first strategies and hybrid workforces redefine the modern business landscape? While Traditional Zero-Trust Network Access (ZTNA) solutions laid the foundation for secure access, Universal ZTNA is rewriting the rules. Imagine a solution that unifies your security policies across all environments, simplifies management, and scales easily. That’s Universal ZTNA. […]

12th February, 2025
Back to Resources

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services