Prevent Privilege Escalation 1.1.6

This policy is deprecated!

This policy only regards allowPrivilegeEscalation: true as a violation. However, this field defaults to true and must be set to false explicitly. To cover this case please migrate to the new EnforceNoPrivilegeEscalation policy as soon as possible.

  • deprecated

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
-         securityContext:
-           allowPrivilegeEscalation: true

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventprivilegeescalation as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.preventprivilegeescalation: |-
      This container must escalate its privileges in order to function correctly.
...