Skill

performing-container-escape-detection

From asi

Detects Kubernetes container escape attempts via privileged checks, dangerous capabilities, host mounts, namespaces, and cgroup abuse using Python client. For security audits and investigations.

Python

Kubernetes

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When conducting security assessments that involve performing container escape detection

SKILL.md

Similar Skills

performing-container-escape-detection

5.9k

Audits Kubernetes pods for container escape vectors including privileged containers, dangerous capabilities, host mounts, namespace sharing, and cgroup vulnerabilities using Python client.

3 files

cybersecurity-skills

performing-container-escape-detection

Detects Kubernetes container escape attempts by checking privileged mode, dangerous capabilities, host namespace sharing, risky hostPath mounts, and cgroup abuses like CVE-2022-0492 using Python Kubernetes client. For auditing cluster security.

3 files

cybersecurity-skills-zh

detecting-privilege-escalation-in-kubernetes-pods

Detects and prevents privilege escalation in Kubernetes pods using Pod Security Admission, OPA Gatekeeper policies, and Falco runtime monitoring for security contexts, capabilities, and syscalls.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Performing Container Escape Detection

When to Use

When conducting security assessments that involve performing container escape detection

When following incident response procedures for related security events

When performing scheduled security testing or auditing activities

When validating security controls through hands-on testing

Prerequisites

Familiarity with container security concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Audit Kubernetes pods for container escape vectors including privileged mode, dangerous capabilities, host namespace sharing, and writable hostPath mounts.

from kubernetes import client, config config.load_kube_config() v1 = client.CoreV1Api() pods = v1.list_pod_for_all_namespaces() for pod in pods.items: for container in pod.spec.containers: sc = container.security_context if sc and sc.privileged: print(f"PRIVILEGED: {pod.metadata.namespace}/{pod.metadata.name}")

Key escape vectors:

Privileged containers (full host access)

CAP_SYS_ADMIN capability

Host PID/Network/IPC namespace sharing

Writable hostPath mounts to / or /etc

Docker socket mount (/var/run/docker.sock)

Examples

# Check for docker socket mounts for vol in pod.spec.volumes or []: if vol.host_path and "docker.sock" in (vol.host_path.path or ""): print(f"Docker socket exposed: {pod.metadata.name}")