☑️ Prevent containers from having root access capabilities

Processes running in privileged containers have access to host-level resources such as the file system. These containers are much more secure when their access is limited to the pod level.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE

This rule will fail

If privileged is set as true

spec:
  containers:
    - name: app
      image: nginx:1.19.8
      securityContext:
        privileged: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from having root access capabilities [1 occurrence]
💡 Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host

How to fix this failure

Set privileged to false or remove this property completely

spec:
  containers:
    - name: app
      image: nginx:1.19.8
      securityContext:
        privileged: false

Kubernetes docs - privileged containers

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more