Skip to main content

lacework-global-648

4.2.1 Minimize the execution of privileged container workloads (Automated)

Profile Applicability

• Level 1

Description

Do not generally permit containers to be run with the securityContext.privileged flag set to true.

Rationale

Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices.

Impact

Pods defined with spec.containers[].securityContext.privileged: true will not be permitted.

Audit

Get the configuration of all pods using the following command:

kubectl get pods -o json

Inspect the JSON output and ensure that, for each pod in .items[], there are no containers in .spec.containers[] which set securityContext.privileged: true.

If jq is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:

kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.privileged==true) | {name: .metadata.name}' | jq -s '.'

Remediation

Update pod configurations to ensure that the privileged security context flag is false or not set for all containers (will default to false if not set).

The following example explicitly sets the privileged flag to false:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
    containers:
    - name: hello-world
      image: hello-world
      securityContext:
        privileged: false

References

https://github.com/aws/aws-eks-best-practices/blob/4f930119cc93ff9db919b0a2802de785e89ea40b/content/security/docs/pods.md#restrict-the-containers-that-can-run-as-privileged https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core