Policy sets insecure default privilege escalation control Affecting Pod Security Policy service in Kubernetes
Severity Framework
Snyk CCSS
Rule category
Data / Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00444
- credit Snyk Research Team
Description
All containers may be allowed to escalate privileges unless allowPrivilegeEscalation
attribute is set to false
. This stops the container from gaining more privileges than its parent process.
How to fix?
Ensure that the defaultAllowPrivilegeEscalation
field is set to false
.
Example Configuration
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: p
spec:
defaultAllowPrivilegeEscalation: false
# other required fields here