Ensure containers do not run with AllowPrivilegeEscalation
Error: Containers run with AllowPrivilegeEscalation
Bridgecrew Policy ID: BC_K8S_19
Checkov Check ID: CKV_K8S_20
Containers run with AllowPrivilegeEscalation
The AllowPrivilegeEscalation Pod Security Policy controls whether or not a user is allowed to set the security context of a container to True. Setting it to False ensures that no child process of a container can gain more privileges than its parent.
We recommend you to set AllowPrivilegeEscalation to False, to ensure RunAsUser commands cannot bypass their existing sets of permissions.
Fix - Buildtime
- Resource: Container
- Argument: allowPrivilegeEscalation (Optional)
If false, the pod can not request to allow privilege escalation. Default to true.
apiVersion: v1 kind: Pod metadata: name: <Pod name> spec: containers: - name: <container name> image: <image> securityContext: + allowPrivilegeEscalation: false
Updated 6 months ago