Back to catalog

Privileged Containers with Important and Critical Fixable CVEs

No violationsstackroxhighdeploy

Alert on containers running in privileged mode with important or critical fixable vulnerabilities

Rationale
Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).
Remediation
Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.
CategoriesPrivilegesVulnerability Management
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.1
DORA EU 2022/2554
Art. 9.2Art. 9.4(c)
ISO/IEC 27001 2022
A.8.2A.8.8
NIST SP 800-53 rev. 5
AC-6RA-5SI-2
PCI DSS 4.0
2.2.66.3.16.3.37.2.1
SOC 2 2017 TSC
CC6.1CC7.1

Generated artifacts

0 of 5 targets supported
Not supported by kyverno

This policy references fields that kyverno cannot express in its rule language.

Missing capabilities
fixed-byseverity
IR (canonical)
{
  "id": "b1df1abb-e5a5-4ff7-98fe-1d28a22b55d8",
  "name": "Privileged Containers with Important and Critical Fixable CVEs",
  "description": "Alert on containers running in privileged mode with important or critical fixable vulnerabilities",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
  "severity": "high",
  "categories": [
    "Privileges",
    "Vulnerability Management"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "privileged-container",
        "values": [
          "true"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "fixed-by",
        "values": [
          ".*"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "severity",
        "values": [
          ">= IMPORTANT"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "b1df1abb-e5a5-4ff7-98fe-1d28a22b55d8",
  "name": "Privileged Containers with Important and Critical Fixable CVEs",
  "description": "Alert on containers running in privileged mode with important or critical fixable vulnerabilities",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds, run your container with lower privileges, or speak with your security team to mitigate the vulnerabilities.",
  "disabled": false,
  "categories": [
    "Privileges",
    "Vulnerability Management"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Privileged Container",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        },
        {
          "fieldName": "Fixed By",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ".*"
            }
          ]
        },
        {
          "fieldName": "Severity",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ">= IMPORTANT"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}