Privilege Escalation Allowed
- Query id: 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
- Query name: Privilege Escalation Allowed
- Platform: Kubernetes
- Severity: High
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod2
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: true
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
runAsUser: 2000
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: example-priv
spec:
containers:
- name: payment
image: nginx
securityContext:
capabilities:
drop:
- SYS_ADMIN
- name: payment2
image: nginx
- name: payment4
image: nginx
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: payment3
image: nginx
securityContext:
allowPrivilegeEscalation: false
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"