Pod Security Policies Advisor - Container running with PrivilegeEscalation Enabled

Overview

Containers running with privilegeEscalation enabled are allowing container processes to elevate privileges they don’t have to begin with. This would be the equivalent of providing sudo access to your Linux servers. With the same care you provide access to your servers, the same attention should be given to your running containers.

How Magalix Helps?

As part of our best practices, Magalix KubeAdvisor ships with a governance Advisor that detects when your pods are running with privilegeEscalated set to true. We identify when all of your clusters have potential issues, so you don’t have to.

Identifying the Issue

Issues Dashboard

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.

You’ll be brought to the Issues Dashboard. The top part of the page displays graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

In the lower half of the page, locate Container running in PrivilegedEscalated Enabled.

Issue Page

If you click on the issue, you can see an overview of how many entities are out of compliance along with a description of the Advisor.

At the bottom half of the page, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.

Recommendation Page

1- Description

In every policy, we give a brief explanation of our policy.

2- Evidence

As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for allowPrivilegeEscalation: true in your securityContext.

3- Resolution

This area provides suggestions on how you can resolve the violation.

4- History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

As you would protect elevated privileges on any of your servers, you must take the same careful measures with your container workloads. Allowing child processes with more privileges than their parent process, such as sudo, can open you to exploitation. At Magalix, we want to make sure we are covering the basics, that’s why we have this best practice Advisory enabled by default. We want you to know when you are at risk. See if any of your containers are able to run with escalated privileges now before someone else does.