Disallow Privilege Escalation
Description
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. This is Linux only policy in v1.25+ (spec.os.name != windows)
Restricted Fields
- spec.containers[*].securityContext.allowPrivilegeEscalation
- spec.initContainers[*].securityContext.allowPrivilegeEscalation
- spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
Allowed Values
- false
Kyverno Policy
Refer to the Nirmata curated policies - disallow-privilege-escalation.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.allowPrivilegeEscalation field is present, then the only acceptable value is false to be conformant with this security control. If the securityContext.allowPrivilegeEscalation field is not present, then the resource is conformant by default.
=(ephemeralContainers):
- securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- securityContext:
allowPrivilegeEscalation: "false"
containers:
- securityContext:
allowPrivilegeEscalation: "false"
Resource Example
Below is a Deployment resource example where securityContext.allowPrivilegeEscalation is set to false for all initContainers and containers.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
- name: initcontainer02
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
- name: container02
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false