C-0016 - Allow privilege escalation

Framework

AllControls, ArmoBest, security, WorkloadScan, NSA

Severity

Medium

Description of the the issue

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, PodSecurityPolicy, ReplicaSet, StatefulSet

What does this control test

Check that the allowPrivilegeEscalation field in securityContext of container is set to false.

Remediation

If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  template:
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        securityContext:
          allowPrivilegeEscalation: false # this field should be set to false explicitly