Skip to main content

lacework-global-652

4.2.5 Minimize the execution of container workloads that can escalate their privileges above those of their parent process (Automated)

Profile Applicability

• Level 1

Description

Do not generally permit containers to be run with the securityContext.allowPrivilegeEscalation flag set to true.

Rationale

A container running with the allowPrivilegeEscalation flag set to true may have processes that can gain more privileges than their parent.

Impact

Pods defined with spec.allowPrivilegeEscalation: true will not be permitted.

Audit

Get the configuration of all pods using the following command:

kubectl get pods -o json

Inspect the JSON output and ensure that, for each pod in .items[], there are no containers in .spec.containers[] which set securityContext.allowPrivilegeEscalation: true.

If jq is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:

kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.allowPrivilegeEscalation==true) | {name: .metadata.name}' | jq -s '.'

Remediation

Update pod configurations to ensure that the allowPrivilegeEscalation security context flag is false or not set for all containers (will default to false if not set).

The following example explicitly sets the allowPrivilegeEscalation flag to false:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: hello-world
    image: hello-world
    securityContext:
      allowPrivilegeEscalation: false

References

https://github.com/aws/aws-eks-best-practices/blob/4f930119cc93ff9db919b0a2802de785e89ea40b/content/security/docs/pods.md#do-not-allow-privileged-escalation https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core