May 30, 2022

Why Trampoline DaemonSets are the stuff of nightmares, KubeCon & CloudNativeCon Europe 2022

A few simple approaches to protecting your K8s


Contributed by Itay Talmi, Cloud Native Applications Senior Consultant, following his attendance at KubeCon & CloudNativeCon Europe 2022.


“A single container escape was enough to take over the entire cluster.” This line has kept me awake at night, ever since I heard it at KubeCon 2022 in Valencia. There, I had the opportunity to attend the session led by Yuval Avrahami, Principal Security Researcher at Prisma Cloud. The session focused on the concept of ‘Trampoline Pods.’ Trampoline Pods are powerful pods without a least-privilege approach, and can be used by attackers to take over the entire cluster! The takeaway? If you are running K8s, you absolutely must be aware of this security vulnerability!

  • Containers are an undoubtedly great tool, but a shared kernel makes containers a weak security boundary
  • The main impact of concern is a compromised node
  • Trampoline DaemonSets, which ensure that some or all Nodes run a copy of a Pod, guarantee that an attacker will hit the jackpot and take over the entire cluster. If you take only one thing away from this discussion, it is this: keep them the least privileged!
  • Know your nodes and which kind of pods they are running (Applications, Add-ons, System)
  • Most of the common infra components managed K8s services & K8s distributions, and CNIs are installed by default with powerful DaemonSets
  • A general recommendation: Better RBAC Posture and Stronger Node Isolation


The discussion highlighted the value of RBAC Police and Checkov (by Bridgecrew) open-source tools, and it could all easily be managed (including CSPM & CWPP) by an all-in-one solution that I love to recommend: Prisma Cloud by Palo Alto Networks. Yuval’s session was incredibly valuable, with an enlightening demonstration.


I look forward to continuing to explore this issue and invite you to reach out to me if you have any questions or would like to talk about a Prisma Cloud demo.

Want more info?

Prisma Cloud

Next Articles


27 November, 2023

Dynamically Assigning EC2 Network without Network Profile
Read Entry

26 November, 2023

Secure Scalability: Harnessing ABX for Custom AWS Security Groups
Read Entry

21 November, 2023

Survey Says: TeraSky’s MSP Services Shine Bright
Read Entry
Skip to content