yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation

profile photo of returntocorpreturntocorp
Author
418
Download Count*
LGPL Commons Clause
License

In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain setuid or setgid binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container in the pod, with the parameter allowPrivilegeEscalation set to false. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the allowPrivilegeEscalation parameter to your the securityContext, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: allow-privilege-escalation
    patterns:
      - pattern-inside: |
          containers:
            ...
      - pattern-inside: |
          - name: $CONTAINER
            ...
      - pattern: |
          image: ...
          ...
      - pattern-inside: |
          image: ...
          ...
          $SC:
            ...
      - metavariable-regex:
          metavariable: $SC
          regex: ^(securityContext)$
      - pattern-not-inside: |
          image: ...
          ...
          securityContext:
            ...
            allowPrivilegeEscalation: $VAL
      - focus-metavariable: $SC
    fix: |
      securityContext:
              allowPrivilegeEscalation: false #
    message: In Kubernetes, each pod runs in its own isolated environment with its
      own  set of security policies. However, certain container images may
      contain  `setuid` or `setgid` binaries that could allow an attacker to
      perform  privilege escalation and gain access to sensitive resources. To
      mitigate  this risk, it's recommended to add a `securityContext` to the
      container in  the pod, with the parameter `allowPrivilegeEscalation` set
      to `false`.  This will prevent the container from running any privileged
      processes and  limit the impact of any potential attacks.  By adding the
      `allowPrivilegeEscalation` parameter to your the  `securityContext`, you
      can help to  ensure that your containerized applications are more secure
      and less  vulnerable to privilege escalation attacks.
    metadata:
      cwe:
        - "CWE-732: Incorrect Permission Assignment for Critical Resource"
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
        - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
        - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag
      category: security
      technology:
        - kubernetes
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING

Examples

allow-privilege-escalation.test.yaml

apiVersion: v1
kind: Pod
spec:
  containers:
    # ok: allow-privilege-escalation
    - name: nginx
      image: nginx
    - name: postgres
      image: postgres
    # ruleid: allow-privilege-escalation
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
    # ok: allow-privilege-escalation
    - name: redis
      image: redis
      securityContext:
        allowPrivilegeEscalation: true
    # ok: allow-privilege-escalation
    - name: haproxy
      image: haproxy
      securityContext:
        allowPrivilegeEscalation: false