This policy checks for container level security parameters like privilege escalation and root filesystem permissions. Developers and administrators usually skip over these parameters, since ignorance of these parameters can result in severe exploits therefore it is essential to check for them before deploying manifest files in production. Due to their severity and importance these parameters are also a part of NSA Kubernetes Hardening Guide. More about NSA Kubernetes Hardening Guide can be read here.
This policy enforces the following best practices-
spec:
containers:
securityContext:
allowPrivilegeEscalation: false
and
spec:
containers:
securityContext:
readOnlyRootFilesystem: true
- Deployment
- StatefulSet
- Pods
Privilege Escalation - Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Solution/Remediation - If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false..
Immutable Container filesystem - Mutable container filesystem can be adjusted to inject malicious code or data into containers. Use immutable (read only) filesystem to limit potential attacks.
Solution/Remediation - Set the readOnlyFilesystem field of securityContext to true. In case your application requires writable filesystem then it is recommended to mount secondary filesystems
Viplove Bansal \ viploveb