yaml.kubernetes.security.privileged-container.privileged-container
semgrepAuthor
418
Download Count*
License
Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.
Run Locally
Run in CI
Defintion
rules:
- id: privileged-container
pattern-either:
- patterns:
- pattern-inside: |
containers:
...
- pattern: |
image: ...
...
securityContext:
...
privileged: true
- patterns:
- pattern-inside: |
spec:
...
- pattern-not-inside: |
image: ...
...
- pattern: |
privileged: true
message: Container or pod is running in privileged mode. This grants the
container the equivalent of root capabilities on the host machine. This
can lead to container escapes, privilege escalation, and other security
concerns. Remove the 'privileged' key to disable this capability.
metadata:
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
references:
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
category: security
technology:
- kubernetes
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: WARNING
Examples
privileged-container.test.yaml
apiVersion: v1
kind: Pod
spec:
# ruleid: privileged-container
privileged: true
containers:
# ruleid: privileged-container
- name: nginx
image: nginx
securityContext:
privileged: true
# ok: privileged-container
- name: postgres
image: postgres
# ok: privileged-container
- name: redis
image: redis
securityContext:
privileged: false
Short Link: https://sg.run/Ygr5