Profile Applicability:
Level 1
Description:
The allowPrivilegeEscalation option in Kubernetes controls whether a container can gain additional privileges (e.g., running as root) during execution. This check ensures that the allowPrivilegeEscalation setting is disabled for containers unless absolutely necessary, reducing the risk of privilege escalation attacks within the Kubernetes cluster.
Rationale:
Allowing privilege escalation can make it easier for an attacker to escalate from a low-privilege container into a higher-privilege one, potentially compromising the host system. By ensuring allowPrivilegeEscalation is disabled, containers are restricted from gaining additional privileges, thereby improving the security of your cluster.
Impact:
Pros:
Limits the potential for privilege escalation attacks within the cluster.
Enforces the principle of least privilege by preventing containers from gaining higher privileges than needed.
Cons:
Some workloads may require privilege escalation for specific tasks, such as accessing certain system resources or performing administrative tasks.
May require changes to existing workloads to meet the security policy.
Default Value:
By default, Kubernetes allows allowPrivilegeEscalation for containers, meaning that containers can escalate privileges unless restricted.
Pre-requisites:
Ensure that PodSecurityPolicies (PSPs) or other security mechanisms are in place to prevent privilege escalation.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications and verify that allowPrivilegeEscalation is set to false for containers.
Ensure that PodSecurityPolicies or Admission Controllers are configured to restrict privilege escalation for containers.
Using Azure CLI:
Use the following command to check for the use of allowPrivilegeEscalation in the pod specifications: kubectl get
pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.allowPrivilegeEscalation}'Verify that allowPrivilegeEscalation is set to false or is not defined in any of the containers unless explicitly required.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and access the Pod specifications.
Update the security context to disable allowPrivilegeEscalation for containers:
securityContext: allowPrivilegeEscalation: false
Apply a PodSecurityPolicy to enforce the restriction on privilege escalation. For example:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-privilege-escalation spec: allowedCapabilities: [] requiredDropCapabilities: ["ALL"] allowPrivilegeEscalation: false
Apply this policy to ensure that containers cannot escalate their privileges unless explicitly allowed.
Using Azure CLI:
Modify the Pod specification to disable privilege escalation:
securityContext: allowPrivilegeEscalation: false
Apply the updated Pod configuration:
kubectl apply -f pod-spec.yaml
To enforce the policy across the cluster, create a PodSecurityPolicy:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-privilege-escalation spec: allowPrivilegeEscalation: false requiredDropCapabilities: ["ALL"]
Apply the PodSecurityPolicy:
kubectl apply -f pod-security-policy.yaml
Backout Plan:
Using Azure Console:
If restricting allowPrivilegeEscalation causes issues, revert the changes in the Azure portal by allowing privilege escalation for specific workloads or modifying the PodSecurityPolicy.
Using Azure CLI:
Revert the Pod specification by setting allowPrivilegeEscalation to true or removing the configuration:
securityContext: allowPrivilegeEscalation: true
Apply the reverted configuration:
kubectl apply -f pod-spec.yaml
Revert any PodSecurityPolicy changes by deleting the policy:
kubectl delete podsecuritypolicy restrict-privilege-escalation
References:
Kubernetes Security Context Documentation
Kubernetes PodSecurityPolicy Documentation