mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
53 lines
1.2 KiB
Markdown
53 lines
1.2 KiB
Markdown
# API Reference: Detecting Privilege Escalation in Kubernetes Pods
|
|
|
|
## Security Context Checks
|
|
|
|
| Check | Risk | Description |
|
|
|-------|------|-------------|
|
|
| privileged: true | CRITICAL | Full host access |
|
|
| allowPrivilegeEscalation | HIGH | setuid escalation |
|
|
| runAsUser: 0 | HIGH | Running as root |
|
|
| hostPID: true | CRITICAL | Host PID namespace |
|
|
| hostNetwork: true | HIGH | Host network access |
|
|
|
|
## Dangerous Capabilities
|
|
|
|
| Capability | Risk |
|
|
|------------|------|
|
|
| SYS_ADMIN | Container escape |
|
|
| SYS_PTRACE | Process debugging |
|
|
| SYS_MODULE | Kernel module loading |
|
|
| NET_ADMIN | Network manipulation |
|
|
|
|
## kubectl Audit Commands
|
|
|
|
```bash
|
|
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
|
|
kubectl auth can-i --list --as=system:serviceaccount:ns:sa
|
|
```
|
|
|
|
## Pod Security Standards
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
labels:
|
|
pod-security.kubernetes.io/enforce: restricted
|
|
```
|
|
|
|
## Falco Rules
|
|
|
|
```yaml
|
|
- rule: Pod with Privileged Container
|
|
condition: kevt and kcreate and container.privileged=true
|
|
priority: CRITICAL
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --namespace default
|
|
python agent.py --json-file pods.json
|
|
```
|