Pods should not run containers with allowPrivilegeEscalation

Description

The allowPrivilegeEscalation setting controls whether a process can gain more privileges than its parent process. Set allowPrivilegeEscalation to false unless it is absolutely required.

Remediation Steps

Kubernetes Manifest (YAML)

• Ensure that containers in a Kubernetes.Pod configure a securityContext where allowPrivilegeEscalation is set to false, or not specified (the default is false)

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      allowPrivilegeEscalation: false

Documentation Links

Kubernetes Manifest

• Configure a Security Context for a Pod or Container