Do not allow attaching to shell on pods
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The role configuration allows users to attach to the shell of pods by granting ‘create’ access on ‘pods/attach’ and ‘get’ access on ‘pods’. This enables interactive access to containers, which can bypass application-level security controls.
Impact#
If exploited, attackers or unauthorized users could gain direct shell access to running containers, potentially leading to data exfiltration, privilege escalation, or manipulation of workloads. This increases the risk of lateral movement and compromise of other resources within the Kubernetes cluster.
Resolution#
Create a role which does not permit attaching to shell on pods