Kubernetes Escape Room

Adversarial Kubernetes lab: walk through real container-escape and privilege-escalation chains — SA token recon, docker.sock mounts, hostPID, etcd snapshot leaks, pods/exec → cluster-admin, and CVE defense — and identify the control that breaks each step. Free, no signup.

Adversarial Kubernetes lab. Six scenarios walk through real cluster-compromise chains: ServiceAccount token reconnaissance closed by automountServiceAccountToken: false, docker.sock host-mount escapes blocked by PodSecurity restricted, hostPID/hostNetwork process traversal, etcd snapshot leaks defeated by KMS encryption-at-rest, pods/exec → cluster-admin via stolen privileged SA tokens, and defence-in-depth posture against container-runtime CVEs.

What You Practice

Recognizing production failure modes before they become incidents.
Connecting security, reliability, and operational choices to real engineering outcomes.
Building intuition through short interactive scenarios instead of passive reading only.

Related Practice

Continue with free courses or read production engineering articles.