mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
1.2 KiB
1.2 KiB
Workflow - Detecting Privilege Escalation in Kubernetes Pods
Phase 1: Assess Current State
# Find privileged pods
kubectl get pods -A -o json | jq '[.items[] | select(.spec.containers[].securityContext.privileged==true) | {name:.metadata.name, ns:.metadata.namespace}]'
# Find pods running as root
kubectl get pods -A -o json | jq '[.items[] | select(.spec.securityContext.runAsUser==0 or .spec.containers[].securityContext.runAsUser==0) | {name:.metadata.name, ns:.metadata.namespace}]'
# Find hostPath mounts
kubectl get pods -A -o json | jq '[.items[] | select(.spec.volumes[]?.hostPath!=null) | {name:.metadata.name, ns:.metadata.namespace}]'
Phase 2: Deploy Prevention
- Apply Pod Security Admission labels to namespaces
- Deploy OPA Gatekeeper constraints
- Test with non-compliant pods (should be rejected)
Phase 3: Deploy Detection
- Install Falco with privilege escalation rules
- Enable Kubernetes audit logging
- Configure alerts to SIEM
Phase 4: Respond to Alerts
- Identify compromised pod
- Check container security context
- Review process list and capabilities
- Isolate with network policy
- Capture forensic data
- Delete compromised pod