https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/K8s-GKE-attack-notes#architecture-overview
As an attacker, it is important to know the components involved in a generic K8s environment. It is not really necessary to know how to properly install/scale/manage/deploy a K8s cluster as we just want to be able to attack it and then steal and abuse whatever is available!
However, as for any hacking activities, it is all about "understanding how things work" and the more knowledge attackers have about their target, the better they will be at attacking it. We therefore start looking at the high level architecture and then focus on areas that would be interesting (everything that will allow privilege escalation, lateral movement within the cluster and outside). If you want more architectural details, the official Kubernetes site is an interesting starting point.
In a generic K8s configuration, the main components/features are the following:
Within K8s, everything is considered as "objects" and managed through the API server. All objects creations/changes are usually submitted in a declarative way, by sending yaml or json files. The kubectl binary is the classic binary client used to interact with this REST API. It is however possible to interact with the API using classic web clients (curl, wget, etc). Unless configured differently, tokens or private keys will need to be sent in the header of those requests to be accepted (more about auth later).
As drawings are better than long explanations, here are some diagrams showing the main components:
General architecture (from https://kubernetes.io/docs/concepts/overview/components/):
.
Node composition (from https://kubernetes.io/docs/tutorials/kubernetes-basics/explore/explore-intro/):
As mentioned above, almost everything in K8s is treated as "objects", here is a brief description of a few of them you might see in configuration files: