Skip to content

T1552.007 Container API

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.23

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.1 An adversary with sufficient permissions, such as via a pod’s service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

Item Value
ID T1552.007
Sub-techniques T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008
Tactics TA0006
Platforms Containers
Version 1.2
Created 31 March 2021
Last Modified 15 April 2023

Procedure Examples

ID Name Description
S0683 Peirates Peirates can query the Kubernetes API for secrets.11


ID Mitigation Description
M1035 Limit Access to Resource Over Network Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.47 In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.5 Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.6
M1030 Network Segmentation Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
M1026 Privileged Account Management Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. For example, if a pod is not required to access the Kubernetes API, consider disabling the service account altogether.10
M1018 User Account Management Enforce authentication and role-based access control on the container API to restrict users to the least privileges required.9 When using Kubernetes, avoid giving users wildcard permissions or adding users to the system:masters group, and use RoleBindings rather than ClusterRoleBindings to limit user privileges to specific namespaces.8


ID Data Source Data Component
DS0017 Command Command Execution
DS0002 User Account User Account Authentication