iCompaas Support

Profile Applicability:
• Level 1

Description:
 Containers should not be allowed to run with the allowPrivilegeEscalation flag set to true. This setting allows a process running inside the container to gain more privileges than its parent process, potentially escalating privileges within the container's environment. This could lead to unwanted access if exploited. It is important to note that while this flag increases privileges, it is constrained by the overall container sandbox, and does not apply to privileged containers.

Rationale:
 Allowing privilege escalation within containers can result in higher security risks, as it could enable a process to gain excessive privileges. The allowPrivilegeEscalation setting should be disabled by default to minimize the potential for privilege escalation attacks. If certain containers require this capability (such as for running setuid binaries), they should be handled with care and defined within specific policies, ensuring that only limited and authorized service accounts or users are granted this permission.

Impact:
 Pros:

• Reduces the risk of privilege escalation attacks within containers.

• Strengthens security by restricting containers from gaining unnecessary privileges.

Cons:

• Some containers may require the ability to escalate privileges for certain use cases. These containers should be restricted to specific policies with tightly controlled access.

Default Value:
 By default, Kubernetes does not restrict containers from allowing privilege escalation, unless explicitly configured.

Pre-requisites:

• Access to the Kubernetes cluster with sufficient privileges to define and enforce Pod Security Policies (PSPs) or admission control policies.

• Understanding of the workloads that require privilege escalation (e.g., setuid binaries).

Remediation

Test Plan:

Using AWS Console:

1. Review the Pod Security Policies (PSPs) applied to each namespace to ensure that containers with allowPrivilegeEscalation set to true are not admitted.
   

2. Check the current pod configurations for the allowPrivilegeEscalation flag to verify that no unauthorized containers are configured with this flag.

Using AWS CLI:

1. To identify containers with the allowPrivilegeEscalation flag set to true, use the following command:

kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(any(.spec.containers[]; .securityContext.allowPrivilegeEscalation == true)) | "\(.metadata.namespace)/\(.metadata.name)"'

2. Alternatively, to exclude the kube-system namespace, run this command:

kubectl get pods --all-namespaces -o json | jq '.items[] | select(.metadata.namespace != "kube-system" and .spec.containers[].securityContext.allowPrivilegeEscalation == true) | {pod: .metadata.name, namespace: .metadata.namespace, container: .spec.containers[].name}'

3. Review the output to ensure that no unauthorized pods are configured with allowPrivilegeEscalation: true.

Implementation Plan

Using AWS Console:

1. Add Pod Security Admission (PSA) policies to restrict the admission of containers with allowPrivilegeEscalation: true in each namespace with user workloads.

2. Label namespaces to enforce restrictions on containers that allow privilege escalation. For example, to apply the restricted policy to a namespace

3. If necessary, create separate policies to allow containers with valid use cases for privilege escalation. Ensure that only authorized service accounts or users are granted permission to use this policy.
   

Using AWS CLI:

1. Label namespaces to prevent the creation of containers with allowPrivilegeEscalation: true:

kubectl label --overwrite ns NAMESPACE podsecurity.kubernetes.io/enforce=restricted

2. Optionally, label all namespaces to enforce the restricted policy across the entire cluster:

kubectl label --overwrite ns --all podsecurity.kubernetes.io/enforce=restricted

3. Ensure that only specific service accounts or users are granted permission to run containers with allowPrivilegeEscalation: true.
   

Backout Plan

Using AWS Console:

1. If the policy results in issues, remove the enforced label to reset the policy:

2. If containers must use allowPrivilegeEscalation, restore the previous configurations for the affected namespaces or workloads that require this capability.
   

Using AWS CLI:

1. To revert the policy, remove the enforced label for namespaces:

kubectl label --overwrite ns NAMESPACE podsecurity.kubernetes.io/enforce=""

2. Allow containers with allowPrivilegeEscalation: true only where necessary, and restore previous settings for critical workloads.

References:

1. Kubernetes Pod Security Admission Documentation

2. AWS EKS Best Practices - Restricting Containers that Allow Privilege Escalation