0d9930a426
* Add ansible to rule S6428 * Add Ansible text * Fix typo * Fix typo in Kubernetes too --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
70 lines
1.5 KiB
Plaintext
70 lines
1.5 KiB
Plaintext
include::../common/summary.adoc[]
|
|
|
|
Process permissions in privileged containers are essentially the same as root
|
|
permissions on the host. If these processes are not protected by robust
|
|
security measures, an attacker who compromises a root process on a Pod's host
|
|
is likely to gain the ability to pivot within the cluster. +
|
|
Depending on how resilient the cluster is, attackers can extend their attack to
|
|
the cluster by compromising the nodes from which the cluster launched the
|
|
process.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* The services of this Pod are accessible to people who are not administrators of the Kubernetes cluster.
|
|
|
|
There is a risk if you answered yes to this question.
|
|
|
|
include::../common/secure-coding-practices.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
containers:
|
|
- name: web
|
|
image: nginx
|
|
ports:
|
|
- name: web
|
|
containerPort: 80
|
|
protocol: TCP
|
|
securityContext:
|
|
privileged: true # Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
containers:
|
|
- name: web
|
|
image: nginx
|
|
ports:
|
|
- name: web
|
|
containerPort: 80
|
|
protocol: TCP
|
|
securityContext:
|
|
privileged: false
|
|
----
|
|
|
|
include::../common/see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../common/message-highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|