Skip to content


Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Impact
Using cloud credentials Exec into container Backdoor container Privileged container Clear container logs List K8S secrets Access Kubernetes API server Access cloud resources Images from a private registry Data destruction
Compromised image In registry bash/cmd inside container Writable hostPath mount Cluster-admin binding Delete K8S events Mount service principal Access Kubelet API Container service account Collecting data from pod Resource hijacking
Kubeconfig file New container Kubernetes CronJob hostPath mount Pod / container name similarity Container service account Network mapping Cluster internal networking Denial of service
Application vulnerability Application exploit (RCE) Malicious admission controller Access cloud resources Connect from proxy server Application credentials in configuration files Exposed sensitive interfaces Application credentials in configuration files
Exposed sensitive interfaces SSH server running inside container Container service account Access managed identity credentials Instance Metadata API Writable hostPath mount
Sidecar injection Static pods Malicious admission controller CoreDNS poisoning
ARP poisoning and IP spoofing

The purpose of the Threat Matrix for Kubernetes is to educate readers on the potential of Kubernetes-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them.