security professional security skill risk: medium

Kubernetes Container Escape Detection Auditor

Instructs on auditing Kubernetes pods for container escape vectors including privileged mode, dangerous capabilities, host namespace sharing, and writable hostPath mounts, with Pyt…

Policy sensitive
Human review
External action: medium

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: performing-container-escape-detection
description: "Detects container escape attempts by analyzing namespace configurations, privileged container checks, dangerous"
---
# Performing Container Escape Detection


## When to Use

- When conducting security assessments that involve performing container escape detection
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites

- Familiarity with container security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Audit Kubernetes pods for container escape vectors including privileged mode,
dangerous capabilities, host namespace sharing, and writable hostPath mounts.

```python
from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()

pods = v1.list_pod_for_all_namespaces()
for pod in pods.items:
    for container in pod.spec.containers:
        sc = container.security_context
        if sc and sc.privileged:
            print(f"PRIVILEGED: {pod.metadata.namespace}/{pod.metadata.name}")
```

Key escape vectors:
1. Privileged containers (full host access)
2. CAP_SYS_ADMIN capability
3. Host PID/Network/IPC namespace sharing
4. Writable hostPath mounts to / or /etc
5. Docker socket mount (/var/run/docker.sock)

## Examples

```python
# Check for docker socket mounts
for vol in pod.spec.volumes or []:
    if vol.host_path and "docker.sock" in (vol.host_path.path or ""):
        print(f"Docker socket exposed: {pod.metadata.name}")
```

REQUIRED CONTEXT

Kubernetes cluster access
Python environment with kubernetes client

EXPECTED OUTPUT

Format

markdown

Constraints

include Python code examples
list key escape vectors

EXAMPLES

Includes two Python code examples demonstrating privileged container checks and Docker socket mount detection.

CAVEATS

Dependencies

Familiarity with container security concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Missing context

Expected output format or report structure
Error handling or authentication details for Kubernetes client
How to integrate the listed key vectors into executable checks

Ambiguities

Description field is truncated mid-sentence ('dangerous')
Code snippet only implements privileged check and does not cover the other listed escape vectors

QUALITY

OVERALL: 0.60
CLARITY: 0.65
SPECIFICITY: 0.70
REUSABILITY: 0.55
COMPLETENESS: 0.50

IMPROVEMENT SUGGESTIONS

Complete the Python example to cover all five key escape vectors listed
Add a clear 'Output Format' section specifying what the script should print or return
Finish the truncated description sentence for full clarity

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.