Skip to main content

☑️ Prevent containers from escalating privileges

Privileged escalation allows a process to change the security context under which its running. In their default state, containers allow privilege escalation. Attackers may use this default behavior to manipulate the application or process and to gain more permissions than they should have.

Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? True

Policy as code identifier: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION


This rule will fail

If the key allowPrivilegeEscalation is not explicitly set to false:

kind: Deployment
spec:
template:
spec:
containers:
- name: myContainer

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from escalating privileges [1 occurrence]
💡 Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges

How to fix this failure

Set the allowPrivilegeEscalation key to false:

kind: Deployment
spec:
template:
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: false

Read more