Benchmark: Containers should not have privileged access
Description
Containers should not have privileged access. To prevent security issues, it is recommended that you do not run privileged containers in your environment. Instead, provide granular permissions and capabilities to the container environment. Giving containers full access to the host can create security flaws in your production environment.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Containers should not have privileged access.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_privilege_disabled
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_privilege_disabled --share
Controls
- CronJob containers should not have privileged access
- DaemonSet containers should not have privileged access
- Deployment containers should not have privileged access
- Job containers should not have privileged access
- Pod containers should not have privileged access
- Pod Security Policy should prohibit containers to run with privilege access
- ReplicaSet containers should not have privileged access
- ReplicationController containers should not have privileged access
- StatefulSet containers should not have privileged access