mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
37 lines
1.3 KiB
Markdown
37 lines
1.3 KiB
Markdown
|
# Disable privileged containers
|
|||
|
|
|
|||
|
|
Privileged containers are defined as any container where the container uid 0 is mapped to the host’s uid 0. A process within privileged containers can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled a process can gain privileges from its parent.
|
|||
|
|
|
|||
|
|
To disallow privileged containers and the escalation of privileges it is recommended to run pod containers with `securityContext.priveleged` as `false` and `allowPrivilegeEscalation` as `false`.
|
|||
|
|
|
|||
|
|
## Policy YAML
|
|||
|
|
|
|||
|
|
[disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
|
|||
|
|
|
|||
|
|
````yaml
|
|||
|
|
apiVersion: kyverno.io/v1alpha1
|
|||
|
|
kind: ClusterPolicy
|
|||
|
|
metadata:
|
|||
|
|
name: validate-deny-privileged-priviligedescalation
|
|||
|
|
spec:
|
|||
|
|
rules:
|
|||
|
|
- name: deny-privileged-priviligedescalation
|
|||
|
|
match:
|
|||
|
|
resources:
|
|||
|
|
kinds:
|
|||
|
|
- Pod
|
|||
|
|
validate:
|
|||
|
|
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
|
|||
|
|
anyPattern:
|
|||
|
|
- spec:
|
|||
|
|
securityContext:
|
|||
|
|
allowPrivilegeEscalation: false
|
|||
|
|
privileged: false
|
|||
|
|
- spec:
|
|||
|
|
containers:
|
|||
|
|
- name: "*"
|
|||
|
|
securityContext:
|
|||
|
|
allowPrivilegeEscalation: false
|
|||
|
|
privileged: false
|
|||
|
|
````
|