K8s Admission Bypass
Understanding Admission Controllers
# Admission flow:
# 1. API Request → Authentication → Authorization → Admission Controllers → etcd
# Types:
# - Validating: Accept/reject requests
# - Mutating: Modify requests before persistence
# Common admission controllers:
# - PodSecurityPolicy (deprecated) / PodSecurity
# - OPA Gatekeeper
# - Kyverno
# - Admission webhooks (custom)Enumeration
Discover Admission Controllers
# Check enabled admission controllers
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq
kubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq
# List all webhook configurations
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations
# Check specific webhook details
kubectl describe validatingwebhookconfiguration gatekeeper-validating-webhook-configuration
# OPA Gatekeeper constraints
kubectl get constraints
kubectl get constrainttemplates
# Kyverno policies
kubectl get clusterpolicies
kubectl get policies -AIdentify Policy Gaps
Policy Bypass Techniques
Excluded Namespace Abuse
Label-Based Bypass
Time-of-Check vs Time-of-Use (TOCTOU)
Ephemeral Container Bypass
Webhook Timeout Bypass
Webhook Availability Attack
Static Pod Bypass
OPA Gatekeeper Specific Bypasses
Constraint Template Gaps
Rego Logic Exploitation
Sync Resource Manipulation
Kyverno Specific Bypasses
Generate Rule Bypass
Background Scan Limitations
Pod Security Standards (PSS) Bypass
Namespace Label Manipulation
RuntimeDefault Bypass
User Namespace Bypass (Kubernetes 1.25+)
Admission Webhook Exploitation
Webhook Configuration Tampering
Certificate Issues
Detection & Prevention
Monitoring Commands
Hardening Recommendations
Checklist
Related Topics
Last updated
Was this helpful?