Kubernetes.Pod.PrivilegeEscalation.md

severity	Critical
category	Security
online version	https://github.com/Microsoft/PSRule.Rules.Kubernetes/blob/main/docs/rules/en/Kubernetes.Pod.PriviledgeEscalation.md

Deny privilege escalation

SYNOPSIS

Containers should deny privilege escalation.

DESCRIPTION

In the default configuration, container processes are permitted to change the effective user ID through the setuid binary. Changing the effective user ID could allow a malicious or vulnerable process to gain a higher level of permission then intended. To prevent this, explicitly set the securityContext.allowPrivilegeEscalation option to false on pod containers.

RECOMMENDATION

Consider explicitly setting the securityContext.allowPrivilegeEscalation option to false on pod containers.

LINKS

• Secure container access to resources
• Set the security context for a Container
• Privilege Escalation