Benchmark: Containers should not allow privilege escalation
Description
Containers should not allow privilege escalation. A container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Containers should not allow privilege escalation.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_privilege_escalation_disabled
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_container_privilege_escalation_disabled --share
Controls
- CronJob containers should not allow privilege escalation
- DaemonSet containers should not allow privilege escalation
- Deployment containers should not allow privilege escalation
- Job containers should not allow privilege escalation
- Pod containers should not allow privilege escalation
- Pod Security Policy should prohibit privilege escalation
- ReplicaSet containers should not allow privilege escalation
- ReplicationController containers should not allow privilege escalation
- StatefulSet containers should not allow privilege escalation