One built-in command, or “mutation,” called killProcesses can shut down processes on other pods, including important ones such as the Kubernetes storage provisioner pod or the API server pod. If these pods are disabled, the entire cluster suffers a denial of service.
OS command injection and lateral movement
Some mutations, such as cleanTcs, killProcesses, and cleanIptables, allow appended shell commands to execute on targeted pods. Attackers can use this functionality to perform OS command injections and achieve lateral movement by extracting Service Account Tokens from those pods.
The Chaos Daemon mounts each pod’s filesystem under a /proc//root file path to facilitate executing commands on them. An attacker in control of the Chaos Daemon can simply cycle through the PIDs of all pods to extract their Service Account Tokens, which are stored at a specific path in their filesystems: /proc//root/var/run/secrets/kubernetes.io/serviceaccount/token. These tokens can then be used with the Kubernetes kubectl tool to execute arbitrary commands on them.
