Skill

detecting-privilege-escalation-in-kubernetes-pods

Detects and prevents privilege escalation in Kubernetes Pods using Falco runtime rules for system calls and OPA Gatekeeper policies for security contexts, capabilities, and host access vectors.

Kubernetes

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Kubernetes 中的权限提升是指 Pod 或容器获得超出其预期范围的提升权限，包括以 root 身份运行、使用特权模式、挂载主机文件系统、启用危险的 Linux 能力或利用内核漏洞。检测结合了准入控制（预防）、运行时监控（检测）和审计日志（调查）三种手段。

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

detecting-privilege-escalation-in-kubernetes-pods

Detects and prevents privilege escalation in Kubernetes pods using Pod Security Admission, OPA Gatekeeper policies, and Falco runtime monitoring for security contexts, capabilities, and syscalls.

asi

detecting-privilege-escalation-in-kubernetes-pods

5.9k

Detects and prevents privilege escalation in Kubernetes pods using Falco for syscall monitoring, OPA Gatekeeper and Pod Security Admission for policy enforcement.

7 files

cybersecurity-skills

performing-container-escape-detection

Detects Kubernetes container escape attempts by checking privileged mode, dangerous capabilities, host namespace sharing, risky hostPath mounts, and cgroup abuses like CVE-2022-0492 using Python Kubernetes client. For auditing cluster security.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

检测 Kubernetes Pod 中的权限提升

概述

前提条件

Kubernetes 集群 v1.25+（支持 Pod 安全准入）
kubectl，具有 cluster-admin 访问权限
Falco 或类似的运行时安全工具
用于准入策略的 OPA Gatekeeper 或 Kyverno

Kubernetes 中的权限提升向量

向量	风险	检测方法
privileged: true	完整主机访问	准入控制 + 审计
hostPID: true	访问主机进程	准入控制
hostNetwork: true	访问主机网络栈	准入控制
hostPath 卷	读/写主机文件系统	准入控制
SYS_ADMIN 能力	接近特权访问	准入 + 运行时
allowPrivilegeEscalation: true	setuid/setgid 漏洞利用	准入控制
runAsUser: 0	容器以 root 运行	准入控制
automountServiceAccountToken	令牌窃取以访问 API	准入控制
可写的 /proc 或 /sys	内核参数操纵	运行时监控

使用准入控制进行检测

Pod 安全准入（内置）

# 对命名空间强制执行受限策略
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

OPA Gatekeeper 策略

# 阻止危险能力
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sdangerouspriv
spec:
  crd:
    spec:
      names:
        kind: K8sDangerousPriv
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdangerouspriv

        dangerous_caps := {"SYS_ADMIN", "SYS_PTRACE", "SYS_MODULE", "DAC_OVERRIDE", "NET_ADMIN", "NET_RAW"}

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          cap := container.securityContext.capabilities.add[_]
          dangerous_caps[cap]
          msg := sprintf("容器 %v 添加了危险能力: %v", [container.name, cap])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.privileged == true
          msg := sprintf("容器 %v 以特权模式运行", [container.name])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          container.securityContext.allowPrivilegeEscalation == true
          msg := sprintf("容器 %v 允许权限提升", [container.name])
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostPID == true
          msg := "Pod 使用主机 PID 命名空间"
        }

        violation[{"msg": msg}] {
          input.review.object.spec.hostNetwork == true
          msg := "Pod 使用主机网络"
        }

使用 Falco 进行运行时检测

# /etc/falco/rules.d/privesc-detection.yaml
- rule: Setuid Binary Execution in Container
  desc: 检测容器中执行 setuid/setgid 二进制文件
  condition: >
    spawned_process and container and
    (proc.name in (su, sudo, newgrp, chsh, passwd) or
     proc.is_exe_upper_layer=true)
  output: >
    容器中执行了 setuid/setgid 二进制文件
    (user=%user.name container=%container.name image=%container.image.repository
     command=%proc.cmdline parent=%proc.pname)
  priority: WARNING
  tags: [container, privilege-escalation, T1548]

- rule: Capability Gained in Container
  desc: 检测进程获得提升能力的情况
  condition: >
    evt.type = capset and container and
    evt.arg.cap != ""
  output: >
    容器中的进程获得了能力
    (container=%container.name image=%container.image.repository
     capabilities=%evt.arg.cap command=%proc.cmdline)
  priority: WARNING
  tags: [container, privilege-escalation, T1548.001]

- rule: Container with Dangerous Capabilities Started
  desc: 检测使用危险能力启动的容器
  condition: >
    container_started and container and
    (container.image.repository != "registry.k8s.io/pause") and
    (container.cap_effective contains SYS_ADMIN or
     container.cap_effective contains SYS_PTRACE or
     container.cap_effective contains SYS_MODULE)
  output: >
    具有危险能力的容器
    (container=%container.name image=%container.image.repository
     caps=%container.cap_effective)
  priority: CRITICAL
  tags: [container, privilege-escalation, T1068]

- rule: Write to /etc/passwd in Container
  desc: 检测容器内写入 /etc/passwd 的操作
  condition: >
    open_write and container and fd.name = /etc/passwd
  output: >
    容器中写入 /etc/passwd
    (container=%container.name image=%container.image.repository
     command=%proc.cmdline user=%user.name)
  priority: CRITICAL
  tags: [container, privilege-escalation, T1136]

Kubernetes 审计日志检测

# audit-policy.yaml - 捕获权限提升事件
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # 记录带有安全上下文详情的 Pod 创建
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["pods"]
    verbs: ["create", "update", "patch"]

  # 记录权限提升尝试
  - level: RequestResponse
    resources:
      - group: "rbac.authorization.k8s.io"
        resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
    verbs: ["create", "update", "patch", "bind", "escalate"]

  # 记录服务账户令牌请求
  - level: Metadata
    resources:
      - group: ""
        resources: ["serviceaccounts/token"]
    verbs: ["create"]

查询审计日志中的权限提升

# 查找使用特权安全上下文创建的 Pod
kubectl logs -n kube-system kube-apiserver-* | \
  jq 'select(.verb == "create" and .objectRef.resource == "pods") |
  select(.requestObject.spec.containers[].securityContext.privileged == true)'

# 查找 RBAC 提升尝试
kubectl logs -n kube-system kube-apiserver-* | \
  jq 'select(.objectRef.resource == "clusterrolebindings" and .verb == "create")'

调查手册

# 检查 Pod 安全上下文
kubectl get pod <pod-name> -n <ns> -o jsonpath='{.spec.containers[*].securityContext}'

# 检查有效能力
kubectl exec <pod-name> -n <ns> -- cat /proc/1/status | grep -i cap

# 列出以 root 身份运行的 Pod
kubectl get pods --all-namespaces -o json | \
  jq '.items[] | select(.spec.containers[].securityContext.runAsUser == 0 or .spec.containers[].securityContext.privileged == true) | {name: .metadata.name, ns: .metadata.namespace}'

# 检查 hostPath 卷
kubectl get pods --all-namespaces -o json | \
  jq '.items[] | select(.spec.volumes[]?.hostPath != null) | {name: .metadata.name, ns: .metadata.namespace, paths: [.spec.volumes[].hostPath.path]}'

最佳实践

对生产命名空间启用 Pod 安全准入，级别为 restricted
丢弃所有能力，然后只添加所需的能力
在所有容器上设置 allowPrivilegeEscalation: false
以非 root 用户运行（runAsNonRoot: true, runAsUser > 0）
除非需要 API 访问，否则禁用 automountServiceAccountToken
使用 Falco 监控运行时权限提升尝试
使用 Kubernetes 审计日志审计 RBAC 变更
使用 seccomp profile 限制系统调用