KA-C002: Privilege escalation allowed

Error Security PSS Restricted

CIS Kubernetes Benchmark v1.8, Section 5.2.5: Minimize the admission of containers with allowPrivilegeEscalation

Why This Matters

When allowPrivilegeEscalation is not explicitly set to false, child processes can gain more privileges than their parent via setuid binaries or filesystem capabilities. PSS Restricted profile requires spec.containers[*].securityContext.allowPrivilegeEscalation=false.

How to Fix

Set allowPrivilegeEscalation to false in the container securityContext

Before (incorrect)

containers:
  - name: app
    securityContext:
      runAsNonRoot: true

After (correct)

containers:
  - name: app
    securityContext:
      runAsNonRoot: true
      allowPrivilegeEscalation: false

Rule Details

Rule Code: KA-C002
Severity: Error
Category: Security

Related Rules

KA-C001 Error

Container runs as privileged

KA-C005 Error

Running with UID 0 (root)

KA-C006 Error

Host PID namespace shared

KA-C007 Error

Host IPC namespace shared

KA-C010 Error

Dangerous capabilities added