include::../common/summary.adoc[]

Process permissions in privileged containers are essentially the same as root
permissions on the host. If these processes are not protected by robust
security measures, an attacker who compromises a root process on a Pod's host
is likely to gain the ability to pivot within the cluster. +
Depending on how resilient the cluster is, attackers can extend their attack to
the cluster by compromising the nodes from which the cluster launched the
process.

== Ask Yourself Whether

* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.

There is a risk if you answered yes to this question.

include::../common/secure-coding-practices.adoc[]

== Sensitive Code Example

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: true # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      securityContext:
        privileged: false
----

include::../common/see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../common/message-highlighting.adoc[]

endif::env-github,rspecator-view[]