Ensure no containers with an RCE CVE are in a privileged pod
Error: A container with an RCE CVE was found in a privileged pod that can lead to cluster takeover
Bridgecrew Policy ID: BC_P3D_6
Severity: MEDIUM
A container with an RCE CVE was found in a privileged pod that can lead to cluster takeover
Description
A container escape is when an attacker can gain access to the node where the container is hosted. A remote code execution (RCE) vulnerability is a flaw in a package that allows an attacker to execute arbitrary code. If a container has an RCE CVE and exists in a privileged pod, then attackers can execute code to break out of a container and gain access to the host node.
Fix - Buildtime
Multiple Services
-
If available, patch the vulnerability by bumping the package.
-
Explicitly block privilege access or remove privilege access for a pod.
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
securityContext:
capabilities:
add:
- -SYS_ADMIN
Updated about 2 months ago