What is The Kubenomicon?

The Kubenomicon was born of a desire to understand more about Kubernetes from an offensive perspective. I found many great resources to aid in my journey, but I quickly realized:

I will never be able to solely document every offensive and defensive Kubernetes technique on my own.
Things in the Kubernetes world move really fast and there are constantly new attack surfaces to explore. My solution to this is to start the Kubenomicon -- a place where offensive security techniques and how to defend against them can easily be documented via pull requests to the Kubenomicon GitHub.

This project was heavily inspired by the Kubernetes Threat Matrix from Microsoft which is a great starting point as it provides a framework to help understand some of the concepts in a MITRE ATTACK style framework. The Microsoft Threat Matrix was explicitly not designed to be a playbook offensive for security professionals and thus it lacks the details necessary to actually exploit (and remediate) each attack in Kubernetes cluster.

The Kubenomicon Threat Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Impact
Using Cloud Credentials	Exec inside container	Backdoor Container	Privileged Container	Clear Container Logs	List K8S secrets	Access Kubernetes API Server	Access Cloud Resources	Images from a private registry	Data Destruction
Compromised image in registry	New Container	Writable hostPath mount	Cluster-admin binding	Delete Events	Access Node Information	Access Kubelet API	Container Service Account	Collecting Data From Pod	Resource Hijacking
Kubeconfig File	Application Exploit (RCE)	Kubernetes Cronjob	hostPath Mount	Pod Name Similarity	Container Service Account	Network Mapping	Cluster Internal Networking		Denial of Service
Application Vulnerability	Sidecar Injection	Malicious Admission Controller	Access Cloud Resources	Connect From Proxy Server	Application Credentials In Configuration Files	Exposed Sensitive Interfaces	Application Credentials In Configuration Files
Exposed Sensitive Interfaces		Container Service Account			Access Managed Identity Credentials	Instance Metadata API	Writable hostpath Mount
SSH server running inside container		Static Pods			Malicious Admission Controller		CoreDNS Poisoning
							ARP Poisoning and IP Spoofing

Prior work

I am far from the first person to come up with the idea to document this information. Many great projects exist that take a similar approach to this. Most notably what inspired this project was the Microsoft Kubernetes Threat Matrix. Additionally, late into putting this project together I discovered this amazing Threat matrix from RedGuard. Some other projects that served as inspiration for this include:

Kubernetes Hacktricks