The allowPrivilegeEscalation field controls whether a container process can gain more privileges than its parent process. When
enabled, SUID (Set User ID) and SGID (Set Group ID) binaries within the container can escalate to root, potentially allowing an attacker to escape the
container and compromise the underlying host.
When allowPrivilegeEscalation is set to true, the no_new_privs flag is not applied to the container process.
This allows binaries configured with SUID or SGID bits to change their runtime uid or gid, enabling privilege escalation within the container. This
rule flags allowPrivilegeEscalation: true in a container’s securityContext.
An attacker with code execution in the container can leverage SUID/SGID executables in the image to increase their effective privileges in ways
that are not possible when no_new_privs is applied, which can broaden what data and services they can reach and simplify further
compromise steps—the exact level of privilege depends on the binaries present in the image.
- name: Create pod
hosts: all
tasks:
- name: Example
kubernetes.core.k8s:
state: present
namespace: default
definition:
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
securityContext:
allowPrivilegeEscalation: true # Noncompliant
- name: Create pod
hosts: all
tasks:
- name: Example
kubernetes.core.k8s:
state: present
namespace: default
definition:
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
securityContext:
allowPrivilegeEscalation: false