Exposed Kubernetes API
The Exposed Kubernetes API subtechnique falls under the Gain Access phase through External Remote Services. Attackers exploit public-facing or inadequately protected Kubernetes API servers to gain initial access to container orchestration environments. The Kubernetes API server serves as the control plane for managing cluster operations, and when exposed without proper authentication or network controls, adversaries can interact with it directly to query for information, deploy malicious containers, or manipulate existing workloads. This exposure commonly occurs through misconfigured API servers accessible from the internet, insufficient network policies, compromised service account tokens, or improperly secured kubeconfig files. Once access is established, attackers can enumerate cluster resources, deploy privileged containers, and potentially gain complete control over the entire Kubernetes infrastructure, providing a foundation for lateral movement and persistence in cloud-native environments.
Mitigations
| ID |
Mitigation |
Description |
| M1026 |
Privileged Account Management |
Disable anonymous K8s API access, bind RBAC roles to least privilege and require short-lived tokens. |
| M1037 |
Filter Network Traffic |
Restrict :6443 to bastion/VPN networks; enable API server audit policy with webhook sink. |
Detection
| ID |
Data Source |
Detection |
| DS0025 |
Cloud Service – Enumeration & Metadata |
Monitor audit logs for list/watch of sensitive resources (Secrets, ConfigMaps) from unauthenticated or first-seen user agents (e.g., kubectl/). |
| DS0029 |
Network Traffic Flow |
Detect repeated API server probe patterns (GET /version, /api, /apis) from same IP indicative of enumeration. |