<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Learn the 3 Key Elements to Successfully Shifting your Security Left - Live Webinar

Exit icon Register Now

Pod Security Policies Advisor - Container running with PrivilegeEscalation Enabled

DevOps Kubernetes Governance Policies
Pod Security Policies Advisor - Container running with PrivilegeEscalation Enabled
DevOps Kubernetes Governance Policies

Overview

Containers running with privilegeEscalation enabled are allowing container processes to elevate privileges they don’t have to begin with. This would be the equivalent of providing sudo access to your Linux servers. With the same care you provide access to your servers, the same attention should be given to your running containers.

How Magalix Helps?

As part of our best practices, Magalix KubeAdvisor ships with a governance Advisor that detects when your pods are running with privilegeEscalated set to true. We identify when all of your clusters have potential issues, so you don’t have to.

Identifying the Issue

Issues Dashboard

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.Pod Security Policies Advisor - Container running with PrivilegeEscalation Enabled

You’ll be brought to the Issues Dashboard. The top part of the page displays graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

In the lower half of the page, locate Container running in PrivilegedEscalated Enabled.

Issue Page

If you click on the issue, you can see an overview of how many entities are out of compliance along with a description of the Advisor.Pod Security Policies Advisor - Container running with PrivilegeEscalation Enabled

At the bottom half of the page, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.

Recommendation PagePod Security Policies Advisor - Container running with PrivilegeEscalation Enabled

1- Description

In every policy, we give a brief explanation of our policy.

2- Evidence

As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for allowPrivilegeEscalation: true in your securityContext.

3- Resolution

This area provides suggestions on how you can resolve the violation.

4- History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

As you would protect elevated privileges on any of your servers, you must take the same careful measures with your container workloads. Allowing child processes with more privileges than their parent process, such as sudo, can open you to exploitation. At Magalix, we want to make sure we are covering the basics, that’s why we have this best practice Advisory enabled by default. We want you to know when you are at risk. See if any of your containers are able to run with escalated privileges now before someone else does.

Check Now

Comments and Responses

Related Articles

How Shifting Left Helps Organizations Mitigate Cloud-Native Security Risks

By shifting-left, organizations are instilling security measures into the DevOps workflows, not just at the tail-end of the process. Shift-left now for a more agile, friction-free & secure environment

Read more
Breaking Down the Complexity of Cloud Native Security for Leadership

Securing Cloud-Native applications can be complex because of the volume of skills and knowledge required

Read more
Securing Cloud-Native Applications is the New Foundation to Digital Transformation Success

Security can no longer remain on its own independent island & must be incorporated into the rest of the stack in to maintain a hardened infrastructure

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get Started View Pricing
No Card Required