Ensure that Containers are not running in privileged mode

Pod Security Policies are cluster-wide resources that control security sensitive aspects of pod specification. Pod Security Policy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for their related fields.

Suggest Edits

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.18
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod where ((not name regexMatch /cp-resource-management/) or (spec.containers contain [ securityContext ]) or (spec.initContainers contain [ securityContext]) and (namespace != 'kube-system')) should not have spec.containers contain [ securityContext.privileged=true ] or spec.initContainers contain [ securityContext.privileged=true ]

REMEDIATION

Use this example PodSecurityPolicy object in a file to create a policy that simply prevents the creation of privileged pods.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!

The rest fills in some required fields.

seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:

  • '*'

References
For more on how to enable and update pod specification using Pod Security Policy, please refer : https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged

  1. https://aws.github.io/aws-eks-best-practices/security/docs/pods/#restrict-the-containers-that-can-run-as-privileged (EKS)

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices

Updated 7 months ago