PSP Set To Privileged

  • Query id: c48e57d3-d642-4e0b-90db-37f807b41b91
  • Query name: PSP Set To Privileged
  • Platform: Kubernetes
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 732
  • URL: Github

Description

Do not allow pod to request execution as privileged.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: true 
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'