容器逃逸检测

v20260317

performing-container-escape-detection

分析 Kubernetes Pod 配置，识别特权容器、危险能力、主机命名空间共享、可写 hostPath 以及 Docker Socket 暴露，帮助审计容器逃逸向量或调查安全事件。

容器安全逃逸 Kubernetes 检测审计 Python 合规

获取技能

449 次下载

概览

Performing Container Escape Detection

Instructions

Audit Kubernetes pods for container escape vectors including privileged mode, dangerous capabilities, host namespace sharing, and writable hostPath mounts.

from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()

pods = v1.list_pod_for_all_namespaces()
for pod in pods.items:
    for container in pod.spec.containers:
        sc = container.security_context
        if sc and sc.privileged:
            print(f"PRIVILEGED: {pod.metadata.namespace}/{pod.metadata.name}")

Key escape vectors:

Privileged containers (full host access)
CAP_SYS_ADMIN capability
Host PID/Network/IPC namespace sharing
Writable hostPath mounts to / or /etc
Docker socket mount (/var/run/docker.sock)

Examples

# Check for docker socket mounts
for vol in pod.spec.volumes or []:
    if vol.host_path and "docker.sock" in (vol.host_path.path or ""):
        print(f"Docker socket exposed: {pod.metadata.name}")

信息

Category 编程开发

Name performing-container-escape-detection

版本 v20260317

大小 7.58KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-03-18