Minimize the admission of containers with allowPrivilegeEscalation (PSP)

Do not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.

Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.25
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [spec.allowPrivilegeEscalation!= 'true']

REMEDIATION

Create a CloudGuard Admission Control (CAC) rule or PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.

References

  1. https://kubernetes.io/docs/concepts/policy/pod-security-policy

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices