lacework-global-754
Minimize the admission of containers with allowPrivilegeEscalation (Automated)
Description
Do not generally permit the running of containers with the allowPrivilegeEscalation
flag set to true
.
Allowing this right can lead to a process running a container getting more rights than it started with.
It is important to note that these rights are still constrained by the overall container sandbox, and this setting does not relate to the use of privileged containers.
Remediation
Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation
set to true
.
References
https://kubernetes.io/docs/concepts/security/pod-security-policy/
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/