Observing Escalation Paths in Kubernetes
William Taylor
fwd:cloudsec North America 2026 · Day 1
In this insightful talk from fwd:cloudsec, William Taylor, a Security Consultant at Reverse, delves into the often-overlooked security implications of **observability tools** within **Kubernetes** environments. The presentation highlights a fundamental conflict between the architectural need for pervasive monitoring and the security principle of **least privilege**, demonstrating how commonly deployed observability agents can inadvertently introduce critical **privilege escalation paths** leading to potential cluster compromise. Taylor illustrates these vulnerabilities with real-world examples, particularly focusing on the Amazon CloudWatch observability add-on in EKS.
AI review
Competent, well-structured research on a real attack surface — the observability-vs-least-privilege tension in Kubernetes is genuinely underappreciated. The aws-auth ConfigMap escalation is a clean finding with a credible PoC chain, but neither primitive is new to anyone who's been watching the k8s security space, and the nodes/proxy abuse was already documented publicly before this talk.