The allowPrivilegeEscalation field controls whether a container process can gain more privileges than its parent process. When enabled, SUID (Set User ID) and SGID (Set Group ID) binaries within the container can escalate to root, potentially allowing an attacker to escape the container and compromise the underlying host.

Why is this an issue?

When allowPrivilegeEscalation is set to true, the no_new_privs flag is not applied to the container process. This allows binaries configured with SUID or SGID bits to change their runtime uid or gid, enabling privilege escalation within the container. This rule flags allowPrivilegeEscalation: true in a container’s securityContext.

What is the potential impact?

An attacker with code execution in the container can leverage SUID/SGID executables in the image to increase their effective privileges in ways that are not possible when no_new_privs is applied, which can broaden what data and services they can reach and simplify further compromise steps—the exact level of privilege depends on the binaries present in the image.

How to fix it

Code examples

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        allowPrivilegeEscalation: true # Noncompliant

Compliant solution

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        allowPrivilegeEscalation: false

Resources

Documentation

• Linux Kernel Archives - no_new_privs

Standards

• CWE - CWE-284 - Improper Access Control