New container
Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet \ ReplicaSet\ Deployment) can create a new resource for running their code.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| MS-M9003 | Adhere to least-privilege principle | Prevent unnecessary users and service accounts from creating new pods and controllers. |
| MS-M9013 | Restrict over permissive containers | Restrict over permissive containers in the cluster using admission controller. |
| MS-M9005.003 | Gate images deployed to Kubenertes cluster | Restrict deployment of new containers from trusted supply chain |