Privileged Container
No violationsstackroxmediumdeployAlert on deployments with containers running in privileged mode
- Rationale
- Containers running as privileged represent greater post-exploitation risk by allowing an attacker to access all host devices, run a daemon in the container, etc.
- Remediation
- Verify that privileged capabilities are required and cannot be provided with a subset of other controls.
CategoriesDocker CISPrivileges
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.1
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.2A.8.9
- NIST SP 800-53 rev. 5
- AC-6CM-2
- PCI DSS 4.0
- 2.2.12.2.67.2.1
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
3 of 5 targets supportedprivileged-container.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: privileged-container
annotations:
policies.kyverno.io/title: Privileged Container
policies.kyverno.io/category: Docker CIS, Privileges
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alert on deployments with containers running in privileged mode
policies.kyverno.io/remediation: Verify that privileged capabilities are required and cannot be provided with a subset of other controls.
policies.kyverno.io/rationale: Containers running as privileged represent greater post-exploitation risk by allowing an attacker to access all host devices, run a daemon in the container, etc.
policies.io/source: stackrox
policies.io/source-id: fe9de18b-86db-44d5-a7c4-74173ccffe2e
spec:
validationFailureAction: Audit
background: true
rules:
- name: privileged-container
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Privileged Container" violated: Alert on deployments with containers running in privileged mode'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].securityContext.privileged || `[]` }}"
operator: AnyIn
value:
- true
exclude:
any:
- resources:
namespaces:
- openshift-security
- resources:
namespaces:
- openshift-azure-logging
- resources:
namespaces:
- openshift-security
- resources:
namespaces:
- openshift-oauth-apiserver
- resources:
namespaces:
- openshift-ovn-kubernetes
- resources:
namespaces:
- openshift-authentication
- resources:
namespaces:
- openshift-multus
- resources:
namespaces:
- openshift-multus
- resources:
namespaces:
- openshift-image-registry
- resources:
namespaces:
- stackrox
- resources:
namespaces:
- kube-system
- resources:
namespaces:
- istio-system
- resources:
namespaces:
- openshift-node
- resources:
namespaces:
- openshift-sdn
- resources:
namespaces:
- openshift-kube-apiserver
- resources:
namespaces:
- openshift-etcd
- resources:
namespaces:
- openshift-apiserver
- resources:
namespaces:
- openshift-dns
- resources:
namespaces:
- openshift-cluster-node-tuning-operator
- resources:
namespaces:
- openshift-cluster-csi-drivers
- resources:
namespaces:
- openshift-machine-config-operator
- resources:
namespaces:
- openshift-vsphere-infra
- resources:
namespaces:
- openshift-vsphere-infra
- resources:
namespaces:
- openshift-vsphere-infra
- resources:
namespaces:
- openshift-vsphere-infra
- resources:
namespaces:
- openshift-vsphere-infra
IR (canonical)
{
"id": "fe9de18b-86db-44d5-a7c4-74173ccffe2e",
"name": "Privileged Container",
"description": "Alert on deployments with containers running in privileged mode",
"rationale": "Containers running as privileged represent greater post-exploitation risk by allowing an attacker to access all host devices, run a daemon in the container, etc.",
"remediation": "Verify that privileged capabilities are required and cannot be provided with a subset of other controls.",
"severity": "medium",
"categories": [
"Docker CIS",
"Privileges"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "splunkforwarder-ds",
"namespace": "openshift-security"
},
{
"name": "mdsd",
"namespace": "openshift-azure-logging"
},
{
"name": "audit-exporter",
"namespace": "openshift-security"
},
{
"name": "apiserver",
"namespace": "openshift-oauth-apiserver"
},
{
"name": "ovnkube-node",
"namespace": "openshift-ovn-kubernetes"
},
{
"name": "oauth-openshift",
"namespace": "openshift-authentication"
},
{
"name": "multus-additional-cni-plugins",
"namespace": "openshift-multus"
},
{
"name": "multus",
"namespace": "openshift-multus"
},
{
"name": "node-ca",
"namespace": "openshift-image-registry"
},
{
"name": "Don't alert on the stackrox namespace",
"namespace": "stackrox"
},
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
},
{
"name": "Don't alert on openshift-node namespace",
"namespace": "openshift-node"
},
{
"name": "Don't alert on openshift-sdn namespace",
"namespace": "openshift-sdn"
},
{
"name": "Don't alert on openshift-kube-apiserver namespace",
"namespace": "openshift-kube-apiserver"
},
{
"name": "Don't alert on openshift-etcd namespace",
"namespace": "openshift-etcd"
},
{
"name": "Don't alert on openshift-apiserver namespace",
"namespace": "openshift-apiserver"
},
{
"name": "Don't alert on openshift-dns namespace",
"namespace": "openshift-dns"
},
{
"name": "Don't alert on openshift-cluster-node-tuning-operator namespace",
"namespace": "openshift-cluster-node-tuning-operator"
},
{
"name": "Don't alert on openshift-cluster-csi-drivers namespace",
"namespace": "openshift-cluster-csi-drivers"
},
{
"name": "Don't alert on openshift-machine-config-operator namespace",
"namespace": "openshift-machine-config-operator"
},
{
"name": "coredns-ci-ln-.*-master-\\d+",
"namespace": "openshift-vsphere-infra"
},
{
"name": "haproxy-ci-ln-.*-master-\\d+",
"namespace": "openshift-vsphere-infra"
},
{
"name": "keepalived-ci-ln-.*-master-\\d+",
"namespace": "openshift-vsphere-infra"
},
{
"name": "coredns-ci-ln-.*-worker-.*",
"namespace": "openshift-vsphere-infra"
},
{
"name": "keepalived-ci-ln-.*-worker-.*",
"namespace": "openshift-vsphere-infra"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "privileged-container",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "fe9de18b-86db-44d5-a7c4-74173ccffe2e",
"name": "Privileged Container",
"description": "Alert on deployments with containers running in privileged mode",
"rationale": "Containers running as privileged represent greater post-exploitation risk by allowing an attacker to access all host devices, run a daemon in the container, etc.",
"remediation": "Verify that privileged capabilities are required and cannot be provided with a subset of other controls.",
"disabled": false,
"categories": [
"Docker CIS",
"Privileges"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment splunkforwarder-ds in namespace openshift-security",
"deployment": {
"name": "splunkforwarder-ds",
"scope": {
"cluster": "",
"namespace": "openshift-security",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment mdsd in namespace openshift-azure-logging",
"deployment": {
"name": "mdsd",
"scope": {
"cluster": "",
"namespace": "openshift-azure-logging",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment audit-exporter in namespace openshift-security",
"deployment": {
"name": "audit-exporter",
"scope": {
"cluster": "",
"namespace": "openshift-security",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment apiserver in namespace openshift-oauth-apiserver",
"deployment": {
"name": "apiserver",
"scope": {
"cluster": "",
"namespace": "openshift-oauth-apiserver",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment ovnkube-node in namespace openshift-ovn-kubernetes",
"deployment": {
"name": "ovnkube-node",
"scope": {
"cluster": "",
"namespace": "openshift-ovn-kubernetes",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment oauth-openshift in namespace openshift-authentication",
"deployment": {
"name": "oauth-openshift",
"scope": {
"cluster": "",
"namespace": "openshift-authentication",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment multus-additional-cni-plugins in namespace openshift-multus",
"deployment": {
"name": "multus-additional-cni-plugins",
"scope": {
"cluster": "",
"namespace": "openshift-multus",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment multus in namespace openshift-multus",
"deployment": {
"name": "multus",
"scope": {
"cluster": "",
"namespace": "openshift-multus",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment node-ca in namespace openshift-image-registry",
"deployment": {
"name": "node-ca",
"scope": {
"cluster": "",
"namespace": "openshift-image-registry",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on the stackrox namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-node namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-node",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-sdn namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-sdn",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-kube-apiserver namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-kube-apiserver",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-etcd namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-etcd",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-apiserver namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-apiserver",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-dns namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-dns",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-cluster-node-tuning-operator namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-cluster-node-tuning-operator",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-cluster-csi-drivers namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-cluster-csi-drivers",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-machine-config-operator namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-machine-config-operator",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment coredns-ci-ln-*-master-\\d+ in namespace openshift-vsphere-infra",
"deployment": {
"name": "coredns-ci-ln-.*-master-\\d+",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment haproxy-ci-ln-*-master-\\d+ in namespace openshift-vsphere-infra",
"deployment": {
"name": "haproxy-ci-ln-.*-master-\\d+",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment keepalived-ci-ln-*-master-\\d+ in namespace openshift-vsphere-infra",
"deployment": {
"name": "keepalived-ci-ln-.*-master-\\d+",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployments coredns-ci-ln-*-worker-* in namespace openshift-vsphere-infra",
"deployment": {
"name": "coredns-ci-ln-.*-worker-.*",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployments keepalived-ci-ln-*-worker-* in namespace openshift-vsphere-infra",
"deployment": {
"name": "keepalived-ci-ln-.*-worker-.*",
"scope": {
"cluster": "",
"namespace": "openshift-vsphere-infra",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Privileged Container",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}