Back to all scenarios
Scenario #289
Security
Kubernetes v1.22, On-Prem

hostAliases Used for Spoofing Internal Services

Malicious pod used hostAliases to spoof internal service hostnames and intercept requests.

Find this helpful?
What Happened

An insider attack modified /etc/hosts in a pod using hostAliases to redirect requests to attacker-controlled services.

Diagnosis Steps
  • 1Reviewed pod manifests with hostAliases.
  • 2Captured outbound DNS traffic and traced redirections.
  • 3Detected communication with rogue internal services.
Root Cause

Abuse of hostAliases field in PodSpec.

Fix/Workaround
• Disabled use of hostAliases via OPA policies.
• Logged all pod specs with custom host entries.
Lessons Learned

Host file spoofing can bypass DNS-based security.

How to Avoid
  • 1Restrict or disallow use of hostAliases.
  • 2Rely on service discovery via DNS only.
Previous ScenarioNext Scenario