Network-Based Attacks and Man-in-the-Middle

A compromised pod with default capabilities can spoof DNS responses for every application in your cluster. No elevated privileges, no RBAC misconfiguration, no container escape needed. The attacker just needs the NET_RAW capability that Kubernetes grants by default, and a spot on the same node as a CoreDNS pod.

This attack vector, documented by both Aqua Security and CyberArk, is part of the KCSA "Attacker on the Network" scenario from the CNCF Kubernetes Threat Model. It works because Kubernetes networking defaults assume trust: all pods can reach all pods, traffic is unencrypted, and the network layer provides no isolation unless you explicitly add it.