Enforce No Privilege Escalation 1.0.2

Enforces that no container is allowed to escalate its privileges. allowPrivilegeEscalation defaults to true, so it must be set to false explicitly.


Note that this policy is part of the following security standards:

  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.2.5
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17
  • Privilege Escalation
  • Security
  • bsi/containerization
  • cis/kubernetes
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
+         securityContext:
+           allowPrivilegeEscalation: false

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcenoprivilegeescalation as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforcenoprivilegeescalation: |-
      This container must escalate its privileges in order to function correctly.
...