Finds containers that allow privilege escalation.
kubeaudit privesc [flags]
See Global Flags
$ kubeaudit privesc -f "auditors/privesc/fixtures/allow-privilege-escalation-nil.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset
namespace: allow-privilege-escalation-nil
--------------------------------------------
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: container
allowPrivilegeEscalation
controls whether a process can gain more privileges than its parent process.
Privilege escalation is disabled by setting allowPrivilegeEscalation
to false
in the container SecurityContext. The field defaults to true
so it must be explicitly set to false
to pass the privesc
audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: false
For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
First, see the Introduction to Override Errors.
Override identifier: allow-privilege-escalation
Container overrides have the form:
container.audit.kubernetes.io/[container name].allow-privilege-escalation: ""
Pod overrides have the form:
audit.kubernetes.io/pod.allow-privilege-escalation: ""
Example of resource with privesc
overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
container.audit.kubernetes.io/myContainer.allow-privilege-escalation: ""
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: true
Example of resource with privesc
overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
audit.kubernetes.io/pod.allow-privilege-escalation: ""
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: true