Privilege Escalation Allowed

  • Query id: 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
  • Query name: Privilege Escalation Allowed
  • Platform: Kubernetes
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod2
spec:
  containers:
  - name: app
    image: images.my-company.example/app:v4
    securityContext:
      allowPrivilegeEscalation: true
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

  - name: log-aggregator
    image: images.my-company.example/log-aggregator:v6
    securityContext:
      runAsUser: 2000
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: example-priv
spec:
  containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
          drop:
            - SYS_ADMIN
      - name: payment2
        image: nginx
      - name: payment4
        image: nginx
        securityContext:
          capabilities:
            add:
              - NET_BIND_SERVICE
      - name: payment3
        image: nginx
        securityContext:
          allowPrivilegeEscalation: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod1
spec:
  containers:
  - name: app
    image: images.my-company.example/app:v4
    securityContext:
      allowPrivilegeEscalation: false
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

  - name: log-aggregator
    image: images.my-company.example/log-aggregator:v6
    securityContext:
      allowPrivilegeEscalation: false
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"