lacework-global-652
4.2.5 Minimize the execution of container workloads that can escalate their privileges beyond those of their parent process (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit the running of containers with the securityContext.allowPrivilegeEscalation flag set to true.
Rationale
A container running with the allowPrivilegeEscalation
flag set to true
may have processes that can gain more privileges than their parent.
Impact
Pods defined with spec.allowPrivilegeEscalation: true
will not be permitted.
Audit
Get the configuration of all pods using the following command:
kubectl get pods -o json
Inspect the JSON output and ensure that, for each pod in .items[]
, there are no containers in .spec.containers[]
which set securityContext.allowPrivilegeEscalation: true
.
If jq
is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:
kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.allowPrivilegeEscalation==true) | {name: .metadata.name}' | jq -s '.'
Remediation
Update pod configurations to ensure that the allowPrivilegeEscalation security context flag is false or not set for all containers (defaults to false if not set).
The following example explicitly sets the allowPrivilegeEscalation flag to false:
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
allowPrivilegeEscalation: false
References
https://github.com/aws/aws-eks-best-practices/blob/4f930119cc93ff9db919b0a2802de785e89ea40b/content/security/docs/pods.md#do-not-allow-privileged-escalation
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core