Pods should not run privileged containers

Description

An attacker may be able to use a vulnerability in a privileged pod to directly attack the host. Therefore, running containers with full privileges should only be done in exceptional situations in which accessing resources and kernel capabilities of the host system is required.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that containers in a Kubernetes.Pod do not have a securityContext where privileged is set to true. By default, privileged is set to false.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
      securityContext:
        privileged: false
# other required fields here