☑️ Prevent containers from escalating privileges

Privileged escalation allows a process to change the security context under which its running. In their default state, containers allow privilege escalation. Attackers may use this default behavior to manipulate the application or process and to gain more permissions than they should have.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION

This rule will fail

If the key allowPrivilegeEscalation is not explicitly set to false:

kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: myContainer

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from escalating privileges [1 occurrence]
💡 Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges

How to fix this failure

Set the allowPrivilegeEscalation key to false:

kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: myContainer
          securityContext:
            allowPrivilegeEscalation: false

Kubernetes hardening tutorial

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more