rspec/rules/S6430/description.adoc

Allowing process privilege escalations exposes the Pod to attacks that exploit
setuid binaries.

This field directly controls whether the `no_new_privs` flag is set in the
container process. +
When this flag is enabled, binaries configured with setuid or setgid bits
cannot change their runtime uid or gid: Potential attackers must rely on other
privilege escalation techniques to successfully operate as root on the Pod.

Depending on how resilient the Kubernetes cluster and Pods are, attackers can
extend their attack to the cluster by compromising the nodes from which the
cluster started the Pod.

The `allowPrivilegeEscalation` field should not be set to true unless the Pod's
risks related to setuid or setgid bits have been mitigated.
Add ansible to rule S6430 (#4372) Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com> 2024-10-07 15:49:54 +02:00			`Allowing process privilege escalations exposes the Pod to attacks that exploit`
			`setuid binaries.`

			This field directly controls whether the `no_new_privs` flag is set in the
			`container process. +`
			`When this flag is enabled, binaries configured with setuid or setgid bits`
			`cannot change their runtime uid or gid: Potential attackers must rely on other`
			`privilege escalation techniques to successfully operate as root on the Pod.`

			`Depending on how resilient the Kubernetes cluster and Pods are, attackers can`
			`extend their attack to the cluster by compromising the nodes from which the`
			`cluster started the Pod.`

			The `allowPrivilegeEscalation` field should not be set to true unless the Pod's
			`risks related to setuid or setgid bits have been mitigated.`