Application exploit (RCE)
An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.
Mitigations
ID | Mitigation | Description |
---|---|---|
MS-M9005 | Image Assurance Policy | Block vulnerable images |
MS-M9014 | Network Segmentation | Limit network access to containers |
MS-M9011 | Restrict Container Runtime using LSM | Restrict container runtime capabilities using LSM. |