Prevent Privileged 1.1.6

This policy disallows containers to run in privileged mode. The exact privileges are defined by the container runtime but this flag is extremely dangerous in any case. If a container needs more rights, consider adding capabilities via securityContext.capabilities in a more fine-granular way.


Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.2.1
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17
  • Privilege Escalation
  • Security
  • bsi/containerization
  • cis/kubernetes
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
-         securityContext:
-           privileged: true

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventprivileged as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.preventprivileged: |-
      This container must be privileged in order to function correctly.
...