Container with privilege escalation should be avoided

What does this mean?

This recommendation ensures that containers cannot escalate their privileges at runtime. The allowPrivilegeEscalation flag should be set to false, preventing processes inside the container from gaining more capabilities than they were initially granted.

Benefits of implementation

• Blocks a common container escape vector
• Limits the impact of exploited vulnerabilities within containers
• Required by CIS Kubernetes Benchmark and MCSB

Drawbacks and considerations

• Some legacy applications may require privilege escalation to function
• Requires testing to verify workloads operate correctly
• May conflict with certain init containers or debugging tools

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.