Profile Applicability:

  • Level 1

Description:
 The allowPrivilegeEscalation flag in Kubernetes controls whether a process can gain more privileges than its parent process. When set to true, containers can escalate privileges, which increases the risk of privilege escalation attacks. This check ensures that allowPrivilegeEscalation is disabled (false) for containers, minimizing the risk of unauthorized privilege escalation.

Rationale:
 Privilege escalation within a container allows processes to gain more control over the container or the host system. By setting allowPrivilegeEscalation: false, the system ensures that processes inside the container cannot escalate their privileges, thereby improving security and reducing the potential impact of container vulnerabilities.

Impact:

  • Pros:

    • Reduces the risk of privilege escalation attacks within the cluster.

    • Ensures processes inside containers cannot gain unauthorized access to sensitive resources.

  • Cons:

    • Certain applications that require elevated privileges might be impacted.

    • It may require careful configuration for workloads that rely on specific privileges.

Default Value:
 By default, Kubernetes may allow privilege escalation unless explicitly restricted. Setting this flag to false ensures that containers cannot escalate privileges.

Pre-requisites:
 Ensure that container security configurations are reviewed, and applications that need elevated privileges are explicitly configured to do so with proper controls.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Kubernetes cluster.

  2. Review the container specifications to ensure that allowPrivilegeEscalation is set to false.

  3. Ensure that containers that do not need privilege escalation have the flag correctly set.

Using Azure CLI:

  1. Use the following command to check the allowPrivilegeEscalation setting for containers:

    kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.allowPrivilegeEscalation}'

  2. Ensure that the allowPrivilegeEscalation field is set to false unless the container explicitly requires elevated privileges.

Implementation Plan:

Using Azure Console:

  1. Access the Azure portal and review the pod or container security settings.

  2. Set allowPrivilegeEscalation: false for containers that do not require privilege escalation.

  3. Apply the changes and ensure that the necessary applications are unaffected.

Using Azure CLI:

  1. Edit the pod or container spec to disable privilege escalation by setting allowPrivilegeEscalation: false:
         kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Add or modify the securityContext in the pod specification to include allowPrivilegeEscalation: false.

Backout plan:

Using Azure Console:

  1. If restricting privilege escalation causes issues with certain applications, revert the configuration by setting allowPrivilegeEscalation to true for those specific containers.

Using Azure CLI:

  1. Revert the change by editing the pod or container spec and allowing privilege escalation:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set allowPrivilegeEscalation: true for the affected containers.

References:

  1. Azure Kubernetes Service (AKS) Documentation

  2. Kubernetes Security Best Practices