Privilege escalation through sidecar injection in Kubernetes

Privilege escalation through sidecar injection is one of the fastest ways to turn a benign Kubernetes cluster into a security incident. It works by deploying a sidecar container into a target pod, often via misconfigured permissions or overly permissive service accounts. Once inside, the injected sidecar gains the same privileges as the main application, allowing lateral movement, data exfiltration, or direct control over the host environment.

Attackers use this vector when Role-Based Access Control (RBAC) is weak, admission controllers are absent, or the cluster’s API server is exposed with insufficient restrictions. By injecting a privileged sidecar, they can mount host paths, read secrets, run arbitrary binaries, or even create new privileged pods. In hardened environments, this requires chaining exploits—like abusing a workload’s service account token or misusing continuous delivery pipelines—to push the malicious sidecar into production.

Defending against privilege escalation via sidecar injection demands strict isolation. Use least privilege in service accounts. Disable automatic mounting of service account tokens. Apply PodSecurityPolicies or Pod Security Standards to block containers with elevated permissions. Lock down admission control to reject any pod spec that adds unexpected containers. Monitor for changes in pod definitions and container images.

When detection fails, response must be immediate. Kill the compromised pod, revoke service account tokens, rotate credentials, and audit the cluster for other injected containers. Sidecar injection often signals deeper misconfigurations that can be exploited again if left uncorrected.

Privilege escalation sidecar injection is not an abstract problem—it’s a direct path for control takeover. Test your defenses. Break them yourself before someone else does. See it live in minutes at hoop.dev.