Do not admit privileged containers

Error: Privileged containers are admitted

Bridgecrew Policy ID: BC_K8S_2
Checkov Check ID: CKV_K8S_2
Severity: HIGH

Privileged containers are admitted

Description

Privileged containers are containers that have all of the root capabilities of a host machine, allowing access to resources that are not accessible in ordinary containers.

Running a container with a privileged flag allows users to have critical access to the host’s resources. If a privileged container is compromised, it does not necessarily entail remote code execution, but it implies that an attacker will be able to run full host root with all of the available capabilities, including CAP_SYS_ADMIN.

Common uses of privileged containers include: running a Docker daemon inside a Docker container, running a container with direct hardware access, and automating CI/CD tasks in the open-source automation server Jenkins.

Fix - Buildtime

Kubernetes

  • Resource: PodSecurityPolicy
  • Argument: privileged (Optional)
    When set to false, containers are unable to run processes that are essentially equivalent to root on the host.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
+ privileged: false

To use a PodSecurityPolicy resource, the requesting user or target pod’s service account must be authorized to use the policy. The preferred method is to grant access to the service account. In the following example we use RBAC, a standard Kubernetes authorization mode.

A Role or ClusterRole must grant access to use the desired policies.

Kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <role name>
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - <policy name>

The ClusterRole is then bound to the authorized service(s):

Kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <binding name>
roleRef:
  kind: ClusterRole
  name: <role name>
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: <authorized service account name>
  namespace: <authorized pod namespace>

Did this page help you?