Profile Applicability:
1
Type:
Behavioral Check
Category:
Control Plane Isolation
Description:
The securityContext.allowPrivilegeEscalation
setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
Rationale:
The securityContext.allowPrivilegeEscalation
setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
Audit:
Create a pod or container that sets allowPrivilegeEscalation
to true
in its securityContext
. The pod creation must fail.
Remediation:
Define a PodSecurityPolicy
with allowPrivilegeEscalation
set to false
and map the policy to each tenant's namespace, or use a policy engine such as OPA/Gatekeeper or Kyverno to prevent privilege escalation. You can use the policies present here.
namespaceRequired:
1