Privilege Escalation Paths

A monitoring service account with nodes/proxy GET shouldn't be able to exec into every pod in the cluster. That permission looks read-only. But Kubernetes authorizes WebSocket exec requests using the GET verb, so that single "read-only" permission is a direct path to cluster-wide code execution.

This is the core pattern of privilege escalation in Kubernetes: the gap between what a permission appears to grant and what it actually enables. Across RBAC verbs, pod configurations, and node-level credentials, attackers exploit these gaps to move from limited access to cluster-admin.