github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego (about) 1 # METADATA 2 # title: "Can elevate its own privileges" 3 # description: "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted 9 # custom: 10 # id: KSV001 11 # avd_id: AVD-KSV-0001 12 # severity: MEDIUM 13 # short_code: no-self-privesc 14 # recommended_action: "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV001 19 20 import data.lib.kubernetes 21 import data.lib.utils 22 23 default checkAllowPrivilegeEscalation = false 24 25 # getNoPrivilegeEscalationContainers returns the names of all containers which have 26 # securityContext.allowPrivilegeEscalation set to false. 27 getNoPrivilegeEscalationContainers[container] { 28 allContainers := kubernetes.containers[_] 29 allContainers.securityContext.allowPrivilegeEscalation == false 30 container := allContainers.name 31 } 32 33 # getPrivilegeEscalationContainers returns the names of all containers which have 34 # securityContext.allowPrivilegeEscalation set to true or not set. 35 getPrivilegeEscalationContainers[container] { 36 containerName := kubernetes.containers[_].name 37 not getNoPrivilegeEscalationContainers[containerName] 38 container := kubernetes.containers[_] 39 } 40 41 deny[res] { 42 output := getPrivilegeEscalationContainers[_] 43 msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should set 'securityContext.allowPrivilegeEscalation' to false", [output.name, kubernetes.kind, kubernetes.name])) 44 res := result.new(msg, output) 45 }