yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation
semgrepAuthor
418
Download Count*
License
In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain setuid or setgid binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container in the pod, with the parameter allowPrivilegeEscalation set to false. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the allowPrivilegeEscalation parameter to your the securityContext, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
Run Locally
Run in CI
Defintion
rules:
- id: allow-privilege-escalation
patterns:
- pattern-inside: |
containers:
...
- pattern-inside: |
- name: $CONTAINER
...
- pattern: |
image: ...
...
- pattern-inside: |
image: ...
...
$SC:
...
- metavariable-regex:
metavariable: $SC
regex: ^(securityContext)$
- pattern-not-inside: |
image: ...
...
securityContext:
...
allowPrivilegeEscalation: $VAL
- focus-metavariable: $SC
fix: |
securityContext:
allowPrivilegeEscalation: false #
message: In Kubernetes, each pod runs in its own isolated environment with its
own set of security policies. However, certain container images may
contain `setuid` or `setgid` binaries that could allow an attacker to
perform privilege escalation and gain access to sensitive resources. To
mitigate this risk, it's recommended to add a `securityContext` to the
container in the pod, with the parameter `allowPrivilegeEscalation` set to
`false`. This will prevent the container from running any privileged
processes and limit the impact of any potential attacks. By adding the
`allowPrivilegeEscalation` parameter to your the `securityContext`, you
can help to ensure that your containerized applications are more secure
and less vulnerable to privilege escalation attacks.
metadata:
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
references:
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag
category: security
technology:
- kubernetes
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: WARNING
Examples
allow-privilege-escalation.test.yaml
apiVersion: v1
kind: Pod
spec:
containers:
# ok: allow-privilege-escalation
- name: nginx
image: nginx
- name: postgres
image: postgres
# ruleid: allow-privilege-escalation
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
# ok: allow-privilege-escalation
- name: redis
image: redis
securityContext:
allowPrivilegeEscalation: true
# ok: allow-privilege-escalation
- name: haproxy
image: haproxy
securityContext:
allowPrivilegeEscalation: false
Short Link: https://sg.run/ljp6