Policy sets insecure default privilege escalation control Affecting Pod Security Policy service in Kubernetes

Snyk CCSS

Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00444
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

All containers may be allowed to escalate privileges unless allowPrivilegeEscalation attribute is set to false. This stops the container from gaining more privileges than its parent process.

How to fix?

Ensure that the defaultAllowPrivilegeEscalation field is set to false.

Example Configuration

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: p
spec:
  defaultAllowPrivilegeEscalation: false
  # other required fields here

Kubernetes

Pod Security Policies

References

Cisco - Understanding and Applying Kubernetes Pod Security Policy