About
Privileged containers disable some of the security mechanisms which provide for container isolation. Access to a privileged container allows for breakout to the underlying host.
Understanding Impact
Business Impact
Access to a privileged container can allow an attacker to gain access to information from other applications running on the same machine and any data they process.
Technical Impact
when using standard container runtimes (for example ContainerD or CRI-O) access to a privileged container allows for easy breakout to the underlying host, which in turn allows for access to all other workloads on that host and credentials for the node agent (Kubelet). This presents opportunities for privilege escalation, by design.
Identify affected resources
This kubectl command can be used to identify any privileged containers in a cluster kubectl get pods --all-namespaces -o json | jq -r '.items[] | .spec.containers[] | select(.securityContext.privileged==true) | .name'
Remediate vulnerable resources
Review the list of containers from the check and, where possible, remove privileged access.