1a23b1f2e8
Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com>
15 lines
742 B
Plaintext
15 lines
742 B
Plaintext
Allowing process privilege escalations exposes the Pod to attacks that exploit
|
|
setuid binaries.
|
|
|
|
This field directly controls whether the `no_new_privs` flag is set in the
|
|
container process. +
|
|
When this flag is enabled, binaries configured with setuid or setgid bits
|
|
cannot change their runtime uid or gid: Potential attackers must rely on other
|
|
privilege escalation techniques to successfully operate as root on the Pod.
|
|
|
|
Depending on how resilient the Kubernetes cluster and Pods are, attackers can
|
|
extend their attack to the cluster by compromising the nodes from which the
|
|
cluster started the Pod.
|
|
|
|
The `allowPrivilegeEscalation` field should not be set to true unless the Pod's
|
|
risks related to setuid or setgid bits have been mitigated. |