Disallow Privileged Containers

Description

Privileged mode disables most security mechanisms and must not be allowed. This control ensures Pods do not call for privileged mode.

Restricted Fields

  • spec.containers[*].securityContext.privileged
  • spec.initContainers[*].securityContext.privileged
  • spec.ephemeralContainers[*].securityContext.privileged

Allowed Values

  • Undefined/nil
  • false

Risks

When privileged is set to true, we will encounter the following risks:

  • Root Access on Host: When a container is run in privileged mode, the root user inside the container has the same privileges as the root user on the host system. This bypasses the usual container isolation mechanisms and can cause security risks. For instance, if an attacker gains access to a privileged container, they can compromise the entire host system.

  • Device and Capability Access: Privileged mode lifts all limitations enforced by the device cgroup controller, allowing the container to interact with all devices on the host. This unrestricted access can be used by attackers to exploit critical system components or access sensitive data.

  • Potential Exploitation: If an attacker manages to exploit a vulnerability within an application running inside a privileged container (e.g., a Remote Code Execution vulnerability), they can use this access to escape the container and compromise the host system.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-privileged-containers.yaml

References

Configuration Settings

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContex.privileged field is present, then the only acceptable value is false to be conformant with this security control. If the securityContext.privileged field is not present, then the resource is conformant by default.

=(ephemeralContainers):
  - =(securityContext):
      =(privileged): "false"
=(initContainers):
  - =(securityContext):
      =(privileged): "false"
containers:
  - =(securityContext):
      =(privileged): "false"

Resource Example

Below is a Deployment resource example where securityContext.privileged is set to false for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          privileged: false
      - name: initcontainer02
        image: dummyimagename
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          privileged: false