Iptables or nftables Executed in Privileged Container
No violationsstackroxcriticalruntimeAlert on privileged pods that execute iptables or nftables
- Rationale
- Processes that are running with UID 0 run as the root user. iptables and nftables can be used in privileged containers to modify the node's network routing.
- Remediation
- Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context
CategoriesNetwork ToolsSecurity Best Practices
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.1
- DORA EU 2022/2554
- Art. 9.2Art. 9.4(b)
- ISO/IEC 27001 2022
- A.8.2A.8.20A.8.9
- NIST SP 800-53 rev. 5
- AC-6CM-2CM-7
- PCI DSS 4.0
- 2.2.12.2.42.2.6
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
0 of 5 targets supportedNot supported by kyverno
This policy references fields that kyverno cannot express in its rule language.
Missing capabilities
process-nameprocess-uidIR (canonical)
{
"id": "ed8c7957-14de-40bc-aeab-d27ceeecfa7b",
"name": "Iptables or nftables Executed in Privileged Container",
"description": "Alert on privileged pods that execute iptables or nftables",
"rationale": "Processes that are running with UID 0 run as the root user. iptables and nftables can be used in privileged containers to modify the node's network routing.",
"remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
"severity": "critical",
"categories": [
"Network Tools",
"Security Best Practices"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "haproxy-control-plane-*",
"namespace": "openshift-kni-infra"
},
{
"name": "keepalived-control-plane-*",
"namespace": "openshift-kni-infra"
},
{
"name": "keepalived-worker-*",
"namespace": "openshift-kni-infra"
},
{
"name": "haproxy-.*",
"namespace": "openshift-vsphere-infra"
},
{
"name": "keepalived-.*",
"namespace": "openshift-vsphere-infra"
},
{
"name": "coredns-.*",
"namespace": "openshift-vsphere-infra"
},
{
"name": "ovnkube-node",
"namespace": "openshift-ovn-kubernetes"
},
{
"name": "Don't alert on Kube System Namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
},
{
"name": "Don't alert on openshift-sdn namespace",
"namespace": "openshift-sdn"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "privileged-container",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "process-name",
"values": [
"iptables",
"nft"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "process-uid",
"values": [
"0"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "ed8c7957-14de-40bc-aeab-d27ceeecfa7b",
"name": "Iptables or nftables Executed in Privileged Container",
"description": "Alert on privileged pods that execute iptables or nftables",
"rationale": "Processes that are running with UID 0 run as the root user. iptables and nftables can be used in privileged containers to modify the node's network routing.",
"remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
"disabled": false,
"categories": [
"Network Tools",
"Security Best Practices"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on deployment haproxy-control-plane-* in namespace openshift-kni-infra",
"deployment": {
"name": "haproxy-control-plane-*",
"scope": {
"cluster": "",
"namespace": "openshift-kni-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment keepalived-control-plane-* in namespace openshift-kni-infra",
"deployment": {
"name": "keepalived-control-plane-*",
"scope": {
"cluster": "",
"namespace": "openshift-kni-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment keepalived-worker-* in namespace openshift-kni-infra",
"deployment": {
"name": "keepalived-worker-*",
"scope": {
"cluster": "",
"namespace": "openshift-kni-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on haproxy-* deployment in openshift-vsphere-infra namespace",
"deployment": {
"name": "haproxy-.*",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on keepalived-* deployment in openshift-vsphere-infra namespace",
"deployment": {
"name": "keepalived-.*",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on coredns-* deployment in openshift-vsphere-infra namespace",
"deployment": {
"name": "coredns-.*",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on ovnkube-node deployment in openshift-ovn-kubernetes Namespace",
"deployment": {
"name": "ovnkube-node",
"scope": {
"cluster": "",
"namespace": "openshift-ovn-kubernetes",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on Kube System Namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-sdn namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-sdn",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "CRITICAL_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Privileged Container",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
},
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "iptables"
},
{
"value": "nft"
}
]
},
{
"fieldName": "Process UID",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "0"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0004",
"techniques": [
"T1611"
]
},
{
"tactic": "TA0005",
"techniques": [
"T1562.004"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}