Profile Applicability:

  • Level 1

Description:
 Privileged containers are containers that have extended capabilities, including full access to the host’s resources. These containers can modify critical system settings and access sensitive resources, making them a potential security risk. This check ensures that privileged containers are not allowed to run unless absolutely necessary.

Rationale:
 Allowing privileged containers increases the risk of container escapes, where malicious containers can gain unauthorized access to the host or the Kubernetes cluster. Minimizing the use of privileged containers ensures that workloads run with the least privileges required for functionality, reducing the risk of exploitation.

Impact:

  • Pros:

    • Enhances security by limiting the capabilities of containers.

    • Reduces the attack surface by minimizing privileged access to the host system.

  • Cons:

    • May require configuration changes for workloads that require elevated privileges to function.

    • Could cause compatibility issues for certain applications that need privileged access.

Default Value:
 By default, Kubernetes allows the admission of privileged containers, though this can be controlled via PodSecurityPolicies or Admission Controllers.

Pre-requisites:
 Ensure that PodSecurityPolicies or other mechanisms for restricting privileged containers are enabled in the Kubernetes environment.

Remediation

Test Plan:

Using Azure Console:

  1. Review the deployment or pod specifications in the console to check if the privileged flag is set to true for any containers.

  2. Ensure that privileged containers are only used where absolutely necessary.

Using Azure CLI:

  1. Use the following command to check the container specifications for the privileged flag:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.privileged}'

  2. Ensure that the privileged flag is not set to true for containers unless required for specific tasks.

Implementation Plan:

Using Azure Console:

  1. Access the deployment or pod specification.

  2. Ensure that the securityContext.privileged field is set to false for containers that do not need privileged access.

  3. If privileged access is required, ensure the workload is justified and secure.

Using Azure CLI:

  1. Edit the deployment or pod configuration to disable privileged access for containers:

    kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set privileged: false under the securityContext section of the container specification.

Backout Plan:

Using Azure Console:

  1. If restricting privileged containers causes issues, revert the configuration by enabling the privileged flag for the necessary containers.

Using Azure CLI:

  1. Revert the changes made to the deployment or pod configuration to allow privileged access:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set the privileged flag to true where necessary

References:

  1. Kubernetes Pod Security Policies Documentation

  2. Kubernetes Security Best Practices