Escaping the Container
KubeOrchestrator v3 introduced a new Performance Monitoring sidecar container. During a manual cluster audit, OdiVex researchers discovered that this sidecar is deployed with the hostPath volume mount aggressively exposed, mounting the underlying Kubernetes Node's /var/log directory with read/write permissions.
The Pivot to Host
Because the sidecar runs as root, an attacker who gains execution inside the monitoring pod can follow symlinks outside of the /var/log restriction and write directly to the Node's /etc/crontab.
By scheduling a malicious cron job on the underlying host, the attacker achieves a full container escape, granting root access to the Kubernetes worker node and compromising all other pods running on that infrastructure.
Mitigation Strategy
Administrators must immediately apply the provided Pod Security Admission (PSA) policies to restrict hostPath mounts entirely and ensure sidecar containers drop all unnecessary Linux capabilities (CAP_SYS_ADMIN, CAP_DAC_OVERRIDE).