Skip to content

Kubeconfig file


ID: MS-TA9003
Tactic: Initial Access
MITRE technique:

The kubeconfig file, also used by kubectl, contains details about Kubernetes clusters including their location and credentials. If the cluster is hosted as a cloud service (such as AKS or GKE), this file is downloaded to the client via cloud commands (e.g., az aks get-credential for AKS or gcloud container clusters get-credentials for GKE).

If attackers get access to this file, for instance via a compromised client, they can use it for accessing the clusters.


ID Mitigation Description
MS-M9003 Adhere to least-privilege principle Limit privileges and actions that can be achieved by getting access to a kubeconfig file
MS-M9002 Restrict access to the API server using IP firewall Restrict access to the API server from known IP addresses
MS-M9006 Enable Just In Time access to API server Enable JIT elevated access to API server to limit attack surface or impact.