Integrate with cloud provider (see here)
When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check which workloads have volumes with potential access to known cloud credentials folders or files in node, like “/etc/kubernetes/azure.json” for Azure.
Refrain from using path mount to known cloud credentials folders or files .
apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # This field triggers failure! path: /data type: Directory
Updated 28 days ago