Persistence and Lateral Movement Attacks

An attacker gains shell access to a single pod. Within minutes, they have a DaemonSet running cryptominers on every node and a ClusterRoleBinding that survives even after you patch the original vulnerability. You delete the pod. Kubernetes recreates it immediately.

This is persistence in Kubernetes. The same self-healing mechanisms that keep your applications running also keep an attacker's workloads alive. Understanding these techniques, and the lateral movement paths that follow, is core to the KCSA Threat Model domain (16% of the exam). Both the MITRE ATT&CK Containers matrix and the Microsoft Threat Matrix for Kubernetes catalog these attack patterns systematically.