Invisible Kubernetes RCE: Why Nodes/Proxy GET is More Dangerous Than You Think

A critical vulnerability in Kubernetes' Role-Based Access Control (RBAC) has been identified, allowing attackers with nodes/proxy GET permissions to execute arbitrary commands in any Pod, potentially leading to a full cluster compromise. The flaw stems from a mismatch between WebSocket connection protocols and Kubernetes RBAC authorization, where GET permissions are incorrectly assumed to be "read-only" but can facilitate remote code execution by exploiting the /exec endpoint exposed by the Kubelet. Standard Kubernetes audit logging fails to capture such attacks, leaving a significant detection gap for security teams relying on native cloud security services like AWS GuardDuty for EKS, Azure Defender for Containers, and GCP Security Command Center, which are blind to this threat. Stream.Security addresses this gap by deploying lightweight agents on cluster nodes to monitor direct Kubelet API connections, process executions, and network activity, enabling real-time detection and alerting of such bypasses, thus enhancing security beyond traditional API-level monitoring.