Ensure containers do not run with AllowPrivilegeEscalation

Error: Containers run with AllowPrivilegeEscalation

Bridgecrew Policy ID: BC_K8S_42
Checkov Check ID: CKV_K8S_5
Severity: MEDIUM

Containers run with AllowPrivilegeEscalation

Description

The AllowPrivilegeEscalation Pod Security Policy controls whether or not a user is allowed to set the security context of a container to True. Setting it to False ensures that no child process of a container can gain more privileges than its parent.

We recommend you to set AllowPrivilegeEscalation to False, to ensure RunAsUser commands cannot bypass their existing sets of permissions.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: allowPrivilegeEscalation (Optional)
    If false, the pod can not request to allow privilege escalation. Default to true.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
+      allowPrivilegeEscalation: false