Back to all scenarios
Scenario #288
Security
Kubernetes v1.25, GKE

EphemeralContainers Used for Reconnaissance

A compromised user deployed ephemeral containers to inspect and copy secrets from running pods.

Find this helpful?
What Happened

A user with access to ephemeralcontainers feature spun up containers in critical pods and read mounted secrets and env vars.

Diagnosis Steps
  • 1Audited API server calls to ephemeralcontainers API.
  • 2Found suspicious container launches.
  • 3Inspected shell history and accessed secrets.
Root Cause

Overprivileged user with ephemeralcontainers access.

Fix/Workaround
• Removed permissions to ephemeral containers for all roles.
• Set audit policies for their use.
Lessons Learned

New features introduce new attack vectors.

How to Avoid
  • 1Lock down access to new APIs.
  • 2Monitor audit logs for container injection attempts.
Previous ScenarioNext Scenario