Finds containers that allow privilege escalation.
kubeaudit privesc [flags]
See Global Flags
$ kubeaudit privesc -f "auditors/privesc/fixtures/allow-privilege-escalation-nil.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset
namespace: allow-privilege-escalation-nil
--------------------------------------------
-- [error] AllowPrivilegeEscalationNil
Message: allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.
Metadata:
Container: container
allowPrivilegeEscalation controls whether a process can gain more privileges than its parent process.
Privilege escalation is disabled by setting allowPrivilegeEscalation to false in the container SecurityContext. The field defaults to true so it must be explicitly set to false to pass the privesc audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: falseFor more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
First, see the Introduction to Override Errors.
Override identifier: allow-privilege-escalation
Container overrides have the form:
container.audit.kubernetes.io/[container name].allow-privilege-escalation: ""Pod overrides have the form:
audit.kubernetes.io/pod.allow-privilege-escalation: ""Example of resource with privesc overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
container.audit.kubernetes.io/myContainer.allow-privilege-escalation: ""
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: trueExample of resource with privesc overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
audit.kubernetes.io/pod.allow-privilege-escalation: ""
spec:
containers:
- name: myContainer
securityContext:
allowPrivilegeEscalation: true