[QUESTION] [k8s] Circumventing the privileged pod technique

[loresuso]

There are a number of ways for an attacker to circumvent privileged pod detection and still harm the node. I am thinking about capabilities and namespaces, and combinations of them. For instance:

• hostpid set to true, and just CAP_SYS_PTRACE. You can see any process on the host, possibly kill them, or even inject code and execute in the context of another process
• hostpid set to true, and just CAP_SYS_ADMIN. You can see any process on the host and use setns to enter their namespaces
• I believe many more combinations are possible

I don't know how this is mapped to MITRE ATT&CK, but I just wanted to ask if it makes sense to implement these techniques

[christophetd]

Thanks, great question? Generally, techniques following the philosophy make sense to implement. In particular, we should try to focus on techniques that have been used in the wild, or are actively used by pentesters/red teamers.

Any thought on that for your proposed techniques?