lacework-global-652
4.2.5 Minimize the execution of container workloads that can escalate their privileges above those of their parent process (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit containers to be run with the securityContext.allowPrivilegeEscalation
flag set to true.
Rationale
A container running with the allowPrivilegeEscalation
flag set to true
may have processes that can gain more privileges than their parent.
Impact
Pods defined with spec.allowPrivilegeEscalation: true
will not be permitted.
Audit
Get the configuration of all pods using the following command:
kubectl get pods -o json
Inspect the JSON output and ensure that, for each pod in .items[]
, there are no containers in .spec.containers[]
which set securityContext.allowPrivilegeEscalation: true
.
If jq
is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:
kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.allowPrivilegeEscalation==true) | {name: .metadata.name}' | jq -s '.'
Remediation
Update pod configurations to ensure that the allowPrivilegeEscalation
security context flag is false
or not set for all containers (will default to false if not set).
The following example explicitly sets the allowPrivilegeEscalation
flag to false
:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
allowPrivilegeEscalation: false
References
https://github.com/aws/aws-eks-best-practices/blob/4f930119cc93ff9db919b0a2802de785e89ea40b/content/security/docs/pods.md#do-not-allow-privileged-escalation https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core