The DevOpsBeast Blog

Production engineering notes.

Field notes on Kubernetes, GPUs, Linux, and the rest of the production stack, from engineers who run real infrastructure.

RSS·subscribe in your feed reader
All (37)DevOpsBeast (2)GPU (1)GPU Cost Optimization (1)GPU Infrastructure (3)Kubernetes (1)Kubernetes Debugging (4)Kubernetes Networking (2)Kubernetes Operations (2)Kubernetes Performance (1)Kubernetes Security (1)Linux (2)LLM Infrastructure (7)Networking (2)Security (8)
Kubernetes Security··13 min read

A Pod in Your Cluster Just Got Compromised. Walk Me Through the Blast Radius.

One container gets popped — an RCE in an app, a malicious dependency, a leaked token. The junior answer is 'kill the pod.' The senior answer traces the blast radius: from the mounted ServiceAccount token to the API server, across a flat pod network to the cloud metadata endpoint, and through a privileged pod to the node and every secret on it. The attacker's path layer by layer, and the single control that caps the damage at each one — the difference between 'one pod' and 'whole cluster.'

Read post