Pods should not run containers with allowPrivilegeEscalation¶
Description¶
The allowPrivilegeEscalation setting controls whether a process can gain more privileges than its parent process. Set allowPrivilegeEscalation to false unless it is absolutely required.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that containers in a Kubernetes.Pod configure a
securityContext
whereallowPrivilegeEscalation
is set tofalse
, or not specified (the default isfalse
)
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: sec-demo
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0
securityContext:
allowPrivilegeEscalation: false