rspec/rules/S6428/kubernetes/rule.adoc

Running containers in privileged mode can reduce the resilience of a cluster in
the event of a security incident because it weakens the isolation between hosts
and containers.

Process permissions in privileged containers are essentially the same as root
permissions on the host. If these processes are not protected by robust
security measures, an attacker who compromises a root process on a Pod's host
is likely to gain the ability to pivot within the cluster. +
Depending on how resilient the cluster is, attackers can extend their attack to
the cluster by compromising the nodes from which the cluster launched the
process.

== Ask Yourself Whether

* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

Disable privileged mode.

== Sensitive Code Example

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: true # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: false
----

== See

* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Ensure that enabling privileged mode is safe here.

=== Highlighting

Highlight `privileged: true`.

endif::env-github,rspecator-view[]
Create rule S6428: Running a container in privileged mode is security-sensitive (APPSEC-16) 2022-07-12 10:46:23 +02:00			`Running containers in privileged mode can reduce the resilience of a cluster in`
			`the event of a security incident because it weakens the isolation between hosts`
			`and containers.`

			`Process permissions in privileged containers are essentially the same as root`
			`permissions on the host. If these processes are not protected by robust`
			`security measures, an attacker who compromises a root process on a Pod's host`
			`is likely to gain the ability to pivot within the cluster. +`
			`Depending on how resilient the cluster is, attackers can extend their attack to`
			`the cluster by compromising the nodes from which the cluster launched the`
			`process.`

			`== Ask Yourself Whether`

			`* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.`

			`There is a risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			`Disable privileged mode.`

			`== Sensitive Code Example`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- name: web`
			`image: nginx`
			`ports:`
			`- name: web`
			`containerPort: 80`
			`protocol: TCP`
			`securityContext:`
			`privileged: true # Sensitive`
			`----`

			`== Compliant Solution`

			`[source,yaml]`
			`----`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: example`
			`spec:`
			`containers:`
			`- name: web`
			`image: nginx`
			`ports:`
			`- name: web`
			`containerPort: 80`
			`protocol: TCP`
			`securityContext:`
			`privileged: false`
			`----`

			`== See`

			`* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Ensure that enabling privileged mode is safe here.`

			`=== Highlighting`

			Highlight `privileged: true`.

			`endif::env-github,rspecator-view[]`