Exposed Kubernetes API

The Exposed Kubernetes API subtechnique falls under the Gain Access phase through External Remote Services. Attackers exploit public-facing or inadequately protected Kubernetes API servers to gain initial access to container orchestration environments. The Kubernetes API server serves as the control plane for managing cluster operations, and when exposed without proper authentication or network controls, adversaries can interact with it directly to query for information, deploy malicious containers, or manipulate existing workloads. This exposure commonly occurs through misconfigured API servers accessible from the internet, insufficient network policies, compromised service account tokens, or improperly secured kubeconfig files. Once access is established, attackers can enumerate cluster resources, deploy privileged containers, and potentially gain complete control over the entire Kubernetes infrastructure, providing a foundation for lateral movement and persistence in cloud-native environments.