Back to catalog

Container with privilege escalation allowed

No violationsstackroxmediumdeploy

Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.

Rationale
A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.
Remediation
Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.
CategoriesPrivilegesSecurity Best Practices
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.5
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.2A.8.9
NIST SP 800-53 rev. 5
AC-6CM-2
PCI DSS 4.0
2.2.12.2.67.2.1
SOC 2 2017 TSC
CC6.1

Generated artifacts

3 of 5 targets supported
container-with-privilege-escalation-allowed.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: container-with-privilege-escalation-allowed
  annotations:
    policies.kyverno.io/title: Container with privilege escalation allowed
    policies.kyverno.io/category: Privileges, Security Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.
    policies.kyverno.io/remediation: Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.
    policies.kyverno.io/rationale: A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.
    policies.io/source: stackrox
    policies.io/source-id: 16c95922-08c4-41b6-a721-dc4b2a806632
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: container-with-privilege-escalation-allowed
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Container with privilege escalation allowed" violated: Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].securityContext.allowPrivilegeEscalation || `[]` }}"
                operator: AnyIn
                value:
                  - true
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-ingress
IR (canonical)
{
  "id": "16c95922-08c4-41b6-a721-dc4b2a806632",
  "name": "Container with privilege escalation allowed",
  "description": "Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.",
  "rationale": "A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.",
  "remediation": "Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.",
  "severity": "medium",
  "categories": [
    "Privileges",
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "router-default",
      "namespace": "openshift-ingress"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "allow-privilege-escalation",
    "values": [
      "true"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "16c95922-08c4-41b6-a721-dc4b2a806632",
  "name": "Container with privilege escalation allowed",
  "description": "Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.",
  "rationale": "A container process can run with more privileges than its parent process if the container's security context has the boolean setting allowPrivilegeEscalation enabled. In Kubernetes pods, this setting is true by default. Set the value to false if the pod is to run as a non-root user.",
  "remediation": "Verify that privileged escalation is required and cannot be provided with a subset of other controls. Disable privilege escalation by setting allowPrivilegeEscalation to false.",
  "disabled": false,
  "categories": [
    "Privileges",
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on deployment router-default in namespace openshift-ingress",
      "deployment": {
        "name": "router-default",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ingress",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Policy Section 1",
      "policyGroups": [
        {
          "fieldName": "Allow Privilege Escalation",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}