Containers run with AllowPrivilegeEscalation based on Pod Security Policy setting

Description

The AllowPrivilegeEscalation Pod Security Policy controls whether or not a user is allowed to set the security context of a container to True. Setting it to False ensures that no child process of a container can gain more privileges than its parent. We recommend you to set AllowPrivilegeEscalation to False, to ensure RunAsUser commands cannot bypass their existing sets of permissions.

Code Example

yaml

apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
+      allowPrivilegeEscalation: false

Remediation

Kubernetes

Resource: Container
Arguments: allowPrivilegeEscalation (Optional) If false, the pod can not request to allow privilege escalation. Default to true.

Rule Details

Field	Value
ID	IAC-1083
Severity	MEDIUM
IaC Type	Kubernetes
Frameworks	Kubernetes,
Checkov ID	CKV_K8S_5

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Containers run with AllowPrivilegeEscalation based on Pod Security Policy setting

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Containers run with AllowPrivilegeEscalation based on Pod Security Policy setting ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Containers run with AllowPrivilegeEscalation based on Pod Security Policy setting

Description

Code Example

Remediation

Rule Details

References