Description
Privileged mode disables most security mechanisms and must not be allowed. This control ensures Pods do not call for privileged mode.
Restricted Fields
- spec.containers[*].securityContext.privileged
- spec.initContainers[*].securityContext.privileged
- spec.ephemeralContainers[*].securityContext.privileged
Allowed Values
- Undefined/nil
- false
Kyverno Policy
Refer to the Nirmata curated policies - disallow-privileged-containers.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers
or initContainers
or containers
in their spec
field, AND if securityContex.privileged
field is present, then the only acceptable value is false
to be conformant with this security control. If the securityContext.privileged
field is not present, then the resource is conformant by default.
=(ephemeralContainers):
- =(securityContext):
=(privileged): "false"
=(initContainers):
- =(securityContext):
=(privileged): "false"
containers:
- =(securityContext):
=(privileged): "false"
Resource Example
Below is a Deployment
resource example where securityContext.privileged
is set to false
for both initContainers
and containers
.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
privileged: false
- name: initcontainer02
image: dummyimagename
containers:
- name: container01
image: dummyimagename
securityContext:
privileged: false