<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Google Kubernetes Engine (GKE) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/google-kubernetes-engine-gke/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 16:54:43 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/google-kubernetes-engine-gke/feed.xml" rel="self" type="application/rss+xml"/><item><title>GKE Pod Created With HostIPC Sharing</title><link>https://feed.craftedsignal.io/briefs/2026-07-gcp-gke-host-ipc-escalation/</link><pubDate>Mon, 06 Jul 2026 16:54:43 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gcp-gke-host-ipc-escalation/</guid><description>A privilege escalation threat in Google Kubernetes Engine (GKE) involves an attacker creating or modifying a pod to enable host Inter-Process Communication (IPC) namespace sharing, which exposes host IPC mechanisms and can lead to privilege escalation within the cluster by allowing the pod to interact directly with the underlying host's processes.</description><content:encoded><![CDATA[<p>This threat brief describes a privilege escalation vector in Google Kubernetes Engine (GKE) where an attacker with appropriate permissions creates or modifies a Kubernetes pod to enable <code>hostIPC</code> namespace sharing. This configuration allows the pod to access and manipulate Inter-Process Communication (IPC) mechanisms on the underlying host node, potentially leading to unauthorized access and control over the host operating system. This technique is a well-known method for container escape and privilege escalation in Kubernetes environments, enabling a compromised pod to break out of its isolation and affect other workloads or the cluster infrastructure. Defenders should focus on detecting this specific pod configuration to prevent adversaries from elevating their privileges within GKE clusters.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker gains initial access to the GKE cluster, potentially through compromised credentials, exploitation of a vulnerable application running within a pod, or misconfigured access controls.</li>
<li><strong>Privilege Discovery</strong>: The attacker assesses their current permissions within the cluster, identifying roles or service accounts that allow for pod creation, update, or patching.</li>
<li><strong>Malicious Pod Specification</strong>: The attacker crafts a Kubernetes pod specification that includes <code>hostIPC: true</code> in its configuration.</li>
<li><strong>Pod Creation/Modification</strong>: The attacker either creates a new pod with the malicious specification or patches an existing pod to enable <code>hostIPC</code> sharing. This action requires specific API permissions within the GKE cluster.</li>
<li><strong>Host IPC Access</strong>: The newly created or modified pod is now able to interact with the host system's IPC facilities, such as System V IPC or POSIX message queues.</li>
<li><strong>Privilege Escalation</strong>: The attacker leverages the host IPC access to exploit vulnerabilities or misconfigurations on the host node, allowing them to gain elevated privileges or achieve a container escape.</li>
<li><strong>Impact</strong>: With host-level privileges, the attacker can then perform further actions, including lateral movement to other nodes, data exfiltration from the host, or disruption of critical cluster services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this privilege escalation technique allows an attacker to break out of the container's isolation and gain elevated privileges on the underlying GKE host node. This can lead to a complete compromise of the node, enabling the adversary to access sensitive data, install malicious software, disrupt services running on the node, or potentially move laterally to other nodes or even the entire Kubernetes cluster control plane. While no specific victim count is provided, any organization utilizing GKE clusters is susceptible if proper security controls are not in place to prevent or detect such configurations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;GKE Pod Created With HostIPC&quot; to your SIEM to detect attempts to create or modify pods with host IPC enabled.</li>
<li>Ensure GKE audit logging is enabled and configured to capture <code>io.k8s.core.v1.pods.create</code>, <code>io.k8s.core.v1.pods.update</code>, and <code>io.k8s.core.v1.pods.patch</code> events for the <code>gcp.audit</code> log source.</li>
<li>Implement and enforce Pod Security Standards (PSS) or Pod Security Policies (PSP, deprecated) in your GKE clusters to prevent the deployment of pods with <code>hostIPC: true</code> in untrusted namespaces.</li>
<li>Baseline legitimate usage of <code>hostIPC</code> in your environment and configure exclusions in the &quot;GKE Pod Created With HostIPC&quot; rule for trusted users or namespaces if necessary, after thorough review.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>gcp</category><category>kubernetes</category><category>privilege-escalation</category><category>container-security</category><category>cloud-security</category><category>host-ipc</category></item></channel></rss>