Why is this an issue?

Running containers in privileged mode weakens the isolation between the container and the host, granting processes inside the container essentially the same permissions as the root user on the host. This elevated access undermines the security boundary that containers are meant to provide.

What is the potential impact?

Container escape

If an attacker compromises a process running inside a privileged container, they can gain root-level access to the host system.

Infrastructure compromise

From there, they can pivot to other systems accessible from the host, compromising the broader infrastructure.

How to fix it

Code examples

The following code runs a container with privileged: true, granting it root-level access to the host system.

Noncompliant code example

- name: Example playbook
  hosts: server
  tasks:
    - name: Run container
      community.docker.docker_container:
        name: container
        image: ubuntu:22.04
        privileged: true  # Noncompliant

Compliant solution

- name: Example playbook
  hosts: server
  tasks:
    - name: Run container
      community.docker.docker_container:
        name: container
        image: ubuntu:22.04

Resources

Standards

• CWE - CWE-284 - Improper Access Control