lacework-global-648
4.2.1 Minimize the execution of privileged container workloads (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit containers to be run with the securityContext.privileged
flag set to true
.
Rationale
Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices.
Impact
Pods defined with spec.containers[].securityContext.privileged: true
will not be permitted.
Audit
Get the configuration of all pods using the following command:
kubectl get pods -o json
Inspect the JSON output and ensure that, for each pod in .items[]
, there are no containers in .spec.containers[]
which set securityContext.privileged: true
.
If jq
is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:
kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.privileged==true) | {name: .metadata.name}' | jq -s '.'
Remediation
Update pod configurations to ensure that the privileged security context flag is false
or not set for all containers (will default to false if not set).
The following example explicitly sets the privileged
flag to false
:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
privileged: false
References
https://github.com/aws/aws-eks-best-practices/blob/4f930119cc93ff9db919b0a2802de785e89ea40b/content/security/docs/pods.md#restrict-the-containers-that-can-run-as-privileged https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core