Executive Summary
The rapid adoption of container orchestration has introduced novel attack surfaces that traditional perimeter defenses fail to address. In 2025–2026 we observed a 340% increase in container escape exploits leveraging misconfigured RBAC and vulnerable runtime images.
Key Attack Vectors Observed
- eBPF-based rootkit deployment via privileged pods
- Sidecar injection through malicious init containers
- Credential harvesting from mounted service account tokens
- Kernel module loading via hostPath volume mounts
Hardening Recommendations (Production Grade)
1. Enforce Pod Security Admission (PSA) at "restricted" level
2. Implement network policies with default-deny ingress/egress
3. Use minimal base images (distroless or scratch) and sign with cosign
4. Rotate service account tokens every 24 hours via IRSA or Workload Identity
5. Deploy Falco or Tetragon for runtime behavioral detection
Full technical report with IoCs and YARA rules available upon verified request.