lacework-global-754

Minimize the admission of containers with allowPrivilegeEscalation (Automated)

Description

Do not generally permit the running of containers with the allowPrivilegeEscalation flag set to true. Allowing this right can lead to a process running a container getting more rights than it started with. It is important to note that these rights are still constrained by the overall container sandbox, and this setting does not relate to the use of privileged containers.

Remediation

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.

References

https://kubernetes.io/docs/concepts/security/pod-security-policy/
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/

Minimize the admission of containers with allowPrivilegeEscalation (Automated)​

Description​

Remediation​

References​

Minimize the admission of containers with allowPrivilegeEscalation (Automated)

Description

Remediation

References