Action Item: Check Kubernetes Configuration for Privilege Escalation

Learn how Fairwinds Insights checks for privilege escalation.


Hi today. I'd like to talk with you about the Insights action item privilege escalation should not be allowed. We'll talk about what that means and we'll cover the mitigation step for the security vulnerability.

Here in the Insights UI I have pre-selected two containers running in my test cluster that fall under this action item. We'll click on one and you can see that first, there is a description of the action item followed by any remediation steps. As you can see in the description for this action item, we talk about what the allowed privilege escalation setting does. This setting controls whether a process can gain more privileges than its parent process. In our case, it controls whether the container can spawn new processes that have more privileges than itself. The mitigation steps for this particular action item are pretty straightforward. As you can see in this example, we're going to add this, allow privilege escalation false entry to our security context.

Of course, in your environment, you're going to want to edit your source code, however you populate and create those manifests that you're deploying to your clusters. In my case, since this is a test environment, my YAML is local.

I'm just going to edit this awesome-pod YAML here on my local machine. Mitigating this security vulnerability is as simple as adding a securityContext map and then setting a key, allowPrivilegeEscalation and setting that value to false.

We'll save this file. We'll do a k apply -f awesome-pod.yaml on the awesome pod and watch it spin up. Now we’ll take a look at the awesome-pod. Here you can see the awesome pod is running with a securityContext and one of the values in that security context is allow privilege escalation false.