Privileged Containers with Important and Critical Fixable CVEs
No violationsstackroxhighdeployAlert on containers running in privileged mode with important or critical fixable vulnerabilities
- Rationale
- Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).
- Remediation
- Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.
CategoriesPrivilegesVulnerability Management
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.1
- DORA EU 2022/2554
- Art. 9.2Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.2A.8.8
- NIST SP 800-53 rev. 5
- AC-6RA-5SI-2
- PCI DSS 4.0
- 2.2.66.3.16.3.37.2.1
- SOC 2 2017 TSC
- CC6.1CC7.1
Generated artifacts
0 of 5 targets supportedNot supported by kyverno
This policy references fields that kyverno cannot express in its rule language.
Missing capabilities
fixed-byseverityIR (canonical)
{
"id": "b1df1abb-e5a5-4ff7-98fe-1d28a22b55d8",
"name": "Privileged Containers with Important and Critical Fixable CVEs",
"description": "Alert on containers running in privileged mode with important or critical fixable vulnerabilities",
"rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
"remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
"severity": "high",
"categories": [
"Privileges",
"Vulnerability Management"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "privileged-container",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "fixed-by",
"values": [
".*"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "severity",
"values": [
">= IMPORTANT"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "b1df1abb-e5a5-4ff7-98fe-1d28a22b55d8",
"name": "Privileged Containers with Important and Critical Fixable CVEs",
"description": "Alert on containers running in privileged mode with important or critical fixable vulnerabilities",
"rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
"remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
"disabled": false,
"categories": [
"Privileges",
"Vulnerability Management"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Privileged Container",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
},
{
"fieldName": "Fixed By",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ".*"
}
]
},
{
"fieldName": "Severity",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ">= IMPORTANT"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}