Container Escape Detection

v20260317

performing-container-escape-detection

Analyzes Kubernetes pod specs to flag privileged containers, dangerous capabilities, host namespace sharing, writable hostPath mounts, and Docker socket exposures, letting security teams audit escape vectors or investigate incidents.

Container Security Escape Kubernetes Detection Audit Python Compliance

Get Skill

449 downloads

Overview

Performing Container Escape Detection

Instructions

Audit Kubernetes pods for container escape vectors including privileged mode, dangerous capabilities, host namespace sharing, and writable hostPath mounts.

from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()

pods = v1.list_pod_for_all_namespaces()
for pod in pods.items:
    for container in pod.spec.containers:
        sc = container.security_context
        if sc and sc.privileged:
            print(f"PRIVILEGED: {pod.metadata.namespace}/{pod.metadata.name}")

Key escape vectors:

Privileged containers (full host access)
CAP_SYS_ADMIN capability
Host PID/Network/IPC namespace sharing
Writable hostPath mounts to / or /etc
Docker socket mount (/var/run/docker.sock)

Examples

# Check for docker socket mounts
for vol in pod.spec.volumes or []:
    if vol.host_path and "docker.sock" in (vol.host_path.path or ""):
        print(f"Docker socket exposed: {pod.metadata.name}")

Info

Category Development

Name performing-container-escape-detection

Version v20260317

Size 7.58KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18