Updated on 2024-02-01 GMT+08:00

k8spspallowprivilegeescalationcontainer

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter

    exemptImages: String array

Function

This policy sets the value of the allowPrivilegeEscalation field in PodSecurityPolicy to false.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]

Resource Definition That Complies with the Policy

In the example, the value of allowPrivilegeEscalation is false, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-privilege-escalation-allowed
  labels:
    app: nginx-privilege-escalation
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false

Resource Definition That Does Not Comply with the Policy

In the example, the value of allowPrivilegeEscalation is not false, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-privilege-escalation-disallowed
  labels:
    app: nginx-privilege-escalation
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      allowPrivilegeEscalation: true