PSP Set To Privileged

• Query id: c48e57d3-d642-4e0b-90db-37f807b41b91
• Query name: PSP Set To Privileged
• Platform: Kubernetes
• Severity: High
• Category: Insecure Configurations
• URL: Github

Description

Do not allow pod to request execution as privileged.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: true 
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'