A security researcher ran a full-blown container escape on EKS using BadPods - a tool that spins up dangerously overprivileged pods. The pod broke out of its container, poked around the host node, moved laterally, and swiped AWS IAM creds.
All of it slipped past EKS’s default Pod Security Admission (PSA) policies. Why? Because those defaults still let pods declare risky stuff like hostPID, hostNetwork, privileged, and hostPath volumes. Basically, a welcome mat for escalation.
