Container is privileged
Description
Privileged containers are containers that have all of the root capabilities of a host machine, allowing access to resources that are not accessible in ordinary containers. Common uses of privileged containers include: running a Docker daemon inside a Docker container, running a container with direct hardware access, and automating CI/CD tasks in the open-source automation server Jenkins. Running a container with a privileged flag allows users to have critical access to the host's resources. If a privileged container is compromised, it does not necessarily entail remote code execution, but it implies that an attacker will be able to run full host root with all of the available capabilities, including CAP_SYS_ADMIN.
Code Example
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
securityContext:
- privileged: trueRemediation
Kubernetes
- Resource: Container
- Arguments: privileged (Optional)
If true, processes in the privileged containers are essentially equivalent to root on the host. Default to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1094 |
| Severity | HIGH |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_16 |