k8s-securitycontext-privileged¶
Container should not be privileged
Containers running Privileged mode in Kubernetes bypass many of the safeguards and restrictions that would otherwise be imposed on them and share many of the host's resources. Such a container is granted almost the same level of access as the root user on the host and might allow the container to inspect or modify both the Hosts's resources as well as those of other Containers.
Examples¶
Insecure Example
# pods.yaml
apiVersion: v1
kind: Pod
metadata:
name: default
spec:
containers:
- name: app
image: registry/image:tag
securityContext:
allowPrivilegeEscalation: true
Secure Example
# pods.yaml
apiVersion: v1
kind: Pod
metadata:
name: default
spec:
containers:
- name: app
image: registry/image:tag
securityContext:
allowPrivilegeEscalation: false