Container runs with AllowPrivilegeEscalation

allow_privilege_escalation

Severity

low

Vendor

Kubernetes

Resource

General Security

Description

The AllowPrivilegeEscalation Pod Security Policy controls whether a user is allowed to set the security context of a container. Setting it to False ensures that no child process of a container can gain more privileges than its parent.

We recommend you to set AllowPrivilegeEscalation to False to prevent existing permission sets from being bypassed.

Learn more about this topic at Set security context for a Container.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: insecure (1)
spec:
  containers:
  - name: insecure-container
    image: <image>

1	Unset `allowPrivilegeEscalation` or setting it to true allow container’s child process to obtain more privileges than its parents.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: secure
spec:
  containers:
    - name: secure-container
      image: <container-image>
      securityContext:
        allowPrivilegeEscalation: false (1)

1	Setting `allowPrivilegeEscalation` to false prevents your existing permission sets from being bypassed.