Pods should not run privileged containers¶
Description¶
An attacker may be able to use a vulnerability in a privileged pod to directly attack the host. Therefore, running containers with full privileges should only be done in exceptional situations in which accessing resources and kernel capabilities of the host system is required.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that containers in a Kubernetes.Pod do not have a
securityContext
whereprivileged
is set totrue
. By default,privileged
is set tofalse
.
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: hello
spec:
containers:
- name: hello
image: busybox
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
securityContext:
privileged: false
# other required fields here