C-0057 - Privileged container


AllControls, ClusterScan, security, MITRE, WorkloadScan, NSA, ArmoBest



Description of the the issue

A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod’s service account, for example), can get access to the host’s resources.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check in Pod spec if securityContext.privileged == true, if so raise an alert.


Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.


apiVersion: v1
kind: Pod
  name: privileged
    - name: pause
      image: k8s.gcr.io/pause
          privileged: true # This field triggers failure!