Allowing process privilege escalations exposes the Pod to attacks that exploit setuid binaries.
This field directly controls whether the no_new_privs flag is set in the container process.
When this flag is enabled, binaries configured with setuid or setgid bits cannot change their runtime uid or gid: Potential attackers must rely on
other privilege escalation techniques to successfully operate as root on the Pod.
Depending on how resilient the Kubernetes cluster and Pods are, attackers can extend their attack to the cluster by compromising the nodes from which the cluster started the Pod.
The allowPrivilegeEscalation field should not be set to true unless the Pod’s risks related to setuid or setgid bits have been
mitigated.
There is a risk if you answered yes to all of these questions.
- name: Create pod
hosts: all
- name: Example
kubernetes.core.k8s:
state: present
namespace: default
definition:
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
securityContext:
allowPrivilegeEscalation: true # Sensitive
- name: Create pod
hosts: all
- name: Example
kubernetes.core.k8s:
state: present
namespace: default
definition:
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
securityContext:
allowPrivilegeEscalation: false