| name | container-k8s-escape |
| description | Use when breaking out of a container or escalating inside Kubernetes — runc/BuildKit CVEs, privileged/capability/cgroup misconfig escapes, NVIDIA GPU toolkit escape, K8s RBAC abuse, kubelet RCE, ingress/admission-controller RCE, node-to-cluster pivot |
| metadata | {"type":"offensive","phase":"exploit-install-actions","tools":"kubectl, crictl, runc, deepce, cdk, kube-hunter, peirates, amicontained, trufflehog, falco, kubeletctl, nsenter","mitre":["T1611","T1610","T1613","T1552.001","T1552.007","T1078.001","T1068","T1496"]} |
| kill_chain | {"phase":["exploit","install","actions"],"step":[4,5,7],"attck_tactics":["TA0002","TA0004","TA0005","TA0006","TA0008"],"attck_techniques":["T1611","T1610","T1613","T1609","T1552.001","T1552.007","T1078.001","T1068","T1496","T1610"]} |
| depends_on | ["recon-osint","cloud-security","vulnerability-analysis"] |
| feeds_into | ["cloud-security","red-team-ops","privesc-linux","active-directory-attack"] |
| inputs | ["container_context","k8s_service_account","kubeconfig","node_access","registry_push_access"] |
| outputs | ["host_root_shell","node_compromise","stolen_sa_tokens","cluster_admin","attack_path","escape_finding"] |
| references | ["references/runtime-cve-escapes.md","references/privileged-misconfig-escape.md","references/nvidia-gpu-escape.md","references/k8s-rbac-escalation.md","references/ingress-admission-attacks.md","references/node-host-pivot.md"] |
| scripts | ["scripts/escape_enum.sh","scripts/runc_cwd_escape.py","scripts/release_agent_escape.sh","scripts/nvidiascape_build.sh","scripts/k8s_rbac_audit.py","scripts/kubelet_exec.py"] |