Container with privilege escalation allowed
No violationsstackroxmediumdeployAlerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.
- Rationale
- A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.
- Remediation
- Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.
CategoriesPrivilegesSecurity Best Practices
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.5
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.2A.8.9
- NIST SP 800-53 rev. 5
- AC-6CM-2
- PCI DSS 4.0
- 2.2.12.2.67.2.1
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
3 of 5 targets supportedcontainer-with-privilege-escalation-allowed.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: container-with-privilege-escalation-allowed
annotations:
policies.kyverno.io/title: Container with privilege escalation allowed
policies.kyverno.io/category: Privileges, Security Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.
policies.kyverno.io/remediation: Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.
policies.kyverno.io/rationale: A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.
policies.io/source: stackrox
policies.io/source-id: 16c95922-08c4-41b6-a721-dc4b2a806632
spec:
validationFailureAction: Audit
background: true
rules:
- name: container-with-privilege-escalation-allowed
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Container with privilege escalation allowed" violated: Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].securityContext.allowPrivilegeEscalation || `[]` }}"
operator: AnyIn
value:
- true
exclude:
any:
- resources:
namespaces:
- openshift-ingress
IR (canonical)
{
"id": "16c95922-08c4-41b6-a721-dc4b2a806632",
"name": "Container with privilege escalation allowed",
"description": "Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.",
"rationale": "A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.",
"remediation": "Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.",
"severity": "medium",
"categories": [
"Privileges",
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "router-default",
"namespace": "openshift-ingress"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "allow-privilege-escalation",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "16c95922-08c4-41b6-a721-dc4b2a806632",
"name": "Container with privilege escalation allowed",
"description": "Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.",
"rationale": "A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.",
"remediation": "Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.",
"disabled": false,
"categories": [
"Privileges",
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment router-default in namespace openshift-ingress",
"deployment": {
"name": "router-default",
"scope": {
"cluster": "",
"namespace": "openshift-ingress",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Policy Section 1",
"policyGroups": [
{
"fieldName": "Allow Privilege Escalation",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}