Kubeconfig file
Info
ID: MS-TA9003
Tactic: Initial Access
MITRE technique:
The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credential for AKS or gcloud container clusters get-credentials for GKE).
If attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9003 | Adhere to least-privilege principle | Limit privileges and actions that can be achieved by getting access to a kubeconfig file |
| MS-M9002 | Restrict access to the API server using IP firewall | Restrict access to the API server from known IP addresses |
| MS-M9006 | Enable Just In Time access to API server | Enable JIT elevated access to API server to limit attack surface or impact. |