Container Is Privileged

YAML Configuration

rule.yaml YAML

apiVersion: spotter.madhuakula.com/v1
kind: Rule
metadata:
  name: container-is-privileged
  description: "Detects containers running with privileged access"
  category: "Workload Security"
  severity: "high"
  version: "1.2.0"
  author: "Spotter Security Team"
  tags:
    - privileged
    - container
    - security
    - workload
  compliance:
    - CIS
    - NIST
    - PCI DSS
spec:
  target:
    apiVersions:
      - v1
    kinds:
      - Pod
      - Deployment
      - DaemonSet
      - StatefulSet
      - ReplicaSet
      - Job
      - CronJob
  expression: |
    has(object.spec.containers) &&
    object.spec.containers.exists(container,
      has(container.securityContext) &&
      has(container.securityContext.privileged) &&
      container.securityContext.privileged == true
    )
  message: "Container is running with privileged access which should be avoided"
  recommendation: |
    Remove the 'privileged: true' setting from the container's securityContext.
    If elevated permissions are needed, use specific capabilities instead:
    
    securityContext:
      capabilities:
        add:
          - NET_ADMIN  # Example: only add specific capabilities needed
      privileged: false  # Explicitly set to false
  references:
    - "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
    - "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
  examples:
    - name: "Privileged container (violation)"
      yaml: |
        apiVersion: v1
        kind: Pod
        metadata:
          name: privileged-pod
        spec:
          containers:
          - name: app
            image: nginx
            securityContext:
              privileged: true  # This will trigger the rule
    - name: "Non-privileged container (compliant)"
      yaml: |
        apiVersion: v1
        kind: Pod
        metadata:
          name: secure-pod
        spec:
          containers:
          - name: app
            image: nginx
            securityContext:
              privileged: false
              runAsNonRoot: true
              runAsUser: 1000

Validating Admission Policy

validating-admission-policy.yaml YAML

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: container-is-privileged
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE", "UPDATE"]
      apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["pods"]
    - operations: ["CREATE", "UPDATE"]
      apiGroups: ["apps"]
      apiVersions: ["v1"]
      resources: ["deployments", "daemonsets", "statefulsets", "replicasets"]
    - operations: ["CREATE", "UPDATE"]
      apiGroups: ["batch"]
      apiVersions: ["v1"]
      resources: ["jobs", "cronjobs"]
  validations:
  - expression: |
      !has(object.spec.containers) ||
      !object.spec.containers.exists(container,
        has(container.securityContext) &&
        has(container.securityContext.privileged) &&
        container.securityContext.privileged == true
      )
    message: "Container is running with privileged access which should be avoided"
---

Binding:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: container-is-privileged-binding
spec:
  policyName: container-is-privileged
  validationActions: [Warn]
  matchResources:
    namespaceSelector:
      matchLabels:
        security.spotter.io/enforce: "true"

Rule Metadata

Container Is Privileged

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub