| Module | Description | Mitigation |
|---|---|---|
| Mount Container Breakout |
Can be exploit on privileged containers or containers with privilege to mount. Creates mount from the container to the host and has access to the host files. |
Reduce container privileges. Prevent creation of privileged containers or with the permissions to mount. |
| docker.sock Breakout |
Can be exploit on containers with docker.sock mounted. It uses docker.sock to create new vulnerable (privileged, with mounts, etc.) container and escape to the host. |
Prevent creating containers with docker.sock mounted. |
| runC (CVE-2019-5736) Breakout |
This module exploit vulnerable runC to escape to the host. |
Make sure to have updated runC version (>1.0.0-rc6). |
| Kubelet attack |
Some Kubernetes cluster might have nodes with Kubelet open for anonymous requests. This module exploit this by listing the pods vulnerable for RCE, run commands inside them and scan the service account tokens from all the pods. |
Make sure that all the kubelets have the config file `/var/lib/kubelet/config.yaml` with the following: 1. No allowing anonymous request: `authentication: anonymous: enabled: false`. 2. Preventing authorization to anyone: `authorization: mode:` NOT set with AlwaysAllow. |