Name: Detecting Privilege Escalation In Kubernetes Pods
Author: mukul975

Overview

Privilege escalation in Kubernetes occurs when a pod or container gains elevated permissions beyond its intended scope. This includes running as root, using privileged mode, mounting host filesystems, enabling dangerous Linux capabilities, or exploiting kernel vulnerabilities. Detection combines admission control (prevention), runtime monitoring (detection), and audit logging (investigation).

When to Use

When investigating security incidents that require detecting privilege escalation in kubernetes pods
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Kubernetes cluster v1.25+ (Pod Security Admission support)
kubectl with cluster-admin access
Falco or similar runtime security tool
OPA Gatekeeper or Kyverno for admission policies

Vector	Risk	Detection Method
privileged: true	Full host access	Admission control + audit
hostPID: true	Access host processes	Admission control
hostNetwork: true	Access host network stack	Admission control
hostPath volumes	Read/write host filesystem	Admission control
SYS_ADMIN capability	Near-privileged access	Admission + runtime
allowPrivilegeEscalation: true	setuid/setgid exploitation	Admission control
runAsUser: 0	Container root	Admission control
automountServiceAccountToken	Token theft for API access	Admission control
Writable /proc or /sys	Kernel parameter manipulation	Runtime monitoring

Detecting Privilege Escalation In Kubernetes Pods

Detecting Privilege Escalation In Kubernetes Pods

Overview

When to Use

Prerequisites

Privilege Escalation Vectors in Kubernetes

Detection with Admission Control

Pod Security Admission (Built-in)

Helm Chart Scaffolding

Python Observability

K8s Manifest Generator

Istio Traffic Management

Secrets Management

Gitops Workflow