This was modified from https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/. All credit goes to the kind folks at Gravitational.
The original PoC code was modified to go a bit beyond checking for vulnerability and to actually run a command inside the first container in the first namespace. In this case, curl -s google.com inside the first pod/container in the default namespace on most clusters. From here, it's easy to make an actual tool to extract secrets, code, exfil data, etc.