k8s-securitycontext-privileged

Container should not be privileged

Containers running Privileged mode in Kubernetes bypass many of the safeguards and restrictions that would otherwise be imposed on them and share many of the host's resources. Such a container is granted almost the same level of access as the root user on the host and might allow the container to inspect or modify both the Hosts's resources as well as those of other Containers.

Examples

Insecure Example

# pods.yaml
apiVersion: v1
kind: Pod
metadata:
  name: default
spec:
  containers:
    - name: app
      image: registry/image:tag
  securityContext:
    allowPrivilegeEscalation: true

Secure Example

# pods.yaml
apiVersion: v1
kind: Pod
metadata:
  name: default
spec:
  containers:
    - name: app
      image: registry/image:tag
  securityContext:
    allowPrivilegeEscalation: false

More information

• Kubernetes Security Context
• Kubernetes Security Policies