C-0016 - Allow privilege escalation
Framework
AllControls, ArmoBest, security, WorkloadScan, NSA
Severity
Medium
Description of the the issue
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, PodSecurityPolicy, ReplicaSet, StatefulSet
What does this control test
Check that the allowPrivilegeEscalation field in securityContext of container is set to false.
Remediation
If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.
Example
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
template:
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false # this field should be set to false explicitly
Updated about 2 months ago