TF 0257 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Do not allow attaching to shell on pods
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The role configuration allows users to attach to the shell of pods by granting 'create' access on 'pods/attach' and 'get' access on 'pods'. This enables interactive access to containers, which can bypass application-level security controls.
Impact
If exploited, attackers or unauthorized users could gain direct shell access to running containers, potentially leading to data exfiltration, privilege escalation, or manipulation of workloads. This increases the risk of lateral movement and compromise of other resources within the Kubernetes cluster.
Resolution
Create a role which does not permit attaching to shell on pods