K8S01–K8S04 Kubernetes Security Misconfiguration

This page covers:

• K8S01: Privileged containers, running as root, host namespaces
• K8S02: Secrets in ConfigMaps or environment values instead of Secrets
• K8S03: Missing security context, resource limits, privilege escalation controls
• K8S04: RBAC wildcard permissions / cluster-admin bindings

What this means

SiteShadow flagged Kubernetes configuration that increases blast radius or makes secrets easier to leak.

Why it matters

Kubernetes misconfiguration can turn a single compromised pod into cluster-wide compromise, data exposure,

or persistent attacker access.

Safer examples

1) Run workloads with least privilege

• Prefer non-root (runAsNonRoot: true) and set runAsUser/runAsGroup explicitly.
• Disable privilege escalation (allowPrivilegeEscalation: false) and drop capabilities.
• Avoid host namespaces (hostNetwork, hostPID, hostIPC) unless strictly required.

2) Handle secrets correctly

• Use Kubernetes Secret objects (or an external secret store), not ConfigMaps or plaintext env vars.

3) Constrain resources and permissions

• Set resource requests/limits to reduce noisy-neighbor and DoS risk.
• Tighten RBAC: avoid * verbs/resources and avoid cluster-admin bindings for workloads.

How SiteShadow detects it (high level)

• Detects high-risk pod security settings (privileged/root/host namespaces, privilege escalation).
• Flags secret anti-patterns (secrets in ConfigMaps/plain env) and overly broad RBAC roles/bindings.
• Highlights missing resource limits and securityContext hardening.

References

• Kubernetes Security: https://kubernetes.io/docs/concepts/security/
• OWASP Kubernetes Security Cheat Sheet: https://cheatsheetseries.owasp.org/

---

← Back to Vulnerability Library