Container Is Privileged
- Query id: dd29336b-fe57-445b-a26e-e6aa867ae609
- Query name: Container Is Privileged
- Platform: Kubernetes
- Severity: High
- Category: Insecure Configurations
- CWE: 269
- URL: Github
Description¶
Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-5
spec:
initContainers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
labels:
app: test
spec:
replicas: 3
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
securityContext:
privileged: true