C-0016 - Allow privilege escalation
Allow privilege escalation
ArmoBest, NSA, AllControls
Description of the the issue
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
CronJob, DaemonSet, Deployment, Job, Pod, PodSecurityPolicy, ReplicaSet, StatefulSet
What does this control test
Check that the allowPrivilegeEscalation field in securityContext of container is set to false.
If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 1 template: spec: containers: - name: nginx image: nginx:latest securityContext: allowPrivilegeEscalation: false # this field should be set to false explicitly
Updated 2 days ago