About Kubernetes security posture scanning

Host namespaces

Pods that share host namespaces allow Pod processes to communicate with host processes and gather host information, which could lead to a container escape.

• spec.hostNetwork
• spec.hostIPC
• spec.hostPID

• Undefined or nil
• false

Privileged containers

Privileged containers allow nearly unrestricted host access. They share namespaces with the host, and lack control group, seccomp, AppArmor, and capability restrictions.

• spec.containers[*].securityContext.privileged
• spec.initContainers[*].securityContext.privileged
• spec.ephemeralContainers[*].securityContext.privileged

• Undefined or nil
• false

Host port access

Exposing a host port to a container potentially allows the container to intercept network traffic to a host service using that port or to bypass network access control rules, such as the rules in a NetworkPolicy.

• spec.containers[*].ports[*].hostPort
• spec.initContainers[*].ports[*].hostPort
• spec.ephemeralContainers[*].ports[*].hostPort

• Undefined or nil
• 0

Non-default capabilities

A container has assigned capabilities that could allow a container escape.

• spec.containers[*].securityContext.capabilities.add
• spec.initContainers[*].securityContext.capabilities.add
• spec.ephemeralContainers[*].securityContext.capabilities.add

• Undefined or nil
• AUDIT_WRITE
• CHOWN
• DAC_OVERRIDE
• FOWNER
• FSETID
• KILL
• MKNOD
• NET_BIND_SERVICE
• SETFCAP
• SETGID
• SETPCAP
• SETUID
• SYS_CHROOT

Mounting host path volumes

hostPath volumes mount files or directories from the host. These volumes present security risks that could lead to container escape.

Non-default /proc mask

The default /proc mount type masks certain paths in /proc to avoid exposure of paths that could lead to information leakage or container escape. Using a non-default type increases these risks.

• spec.containers[*].securityContext.procMount
• spec.initContainers[*].securityContext.procMount
• spec.ephemeralContainers[*].securityContext.procMount

• Undefined or nil
• Default

Unsafe sysctls mask

A Pod can be configured to allow modification of unsafe kernel parameters using the /proc/sys virtual file system. Unsafe parameters don't support namespacing, don't properly isolate their effect between Pods, could harm the node's health, or might allow the Pod to gain resources beyond its limits.

• Undefined or nil
• kernel.shm_rmid_forced
• net.ipv4.ip_local_port_range
• net.ipv4.ip_unprivileged_port_start
• net.ipv4.tcp_syncookies
• net.ipv4.ping_group_range

Running as non-root

You can explicitly allow a container to run as the root user if the runAsUser or the USER directive in the image specifies the root user. The lack of preventive security controls when running as the root user increases the risk of container escape.

• spec.securityContext.runAsNonRoot
• spec.containers[*].securityContext.runAsNonRoot
• spec.initContainers[*].securityContext.runAsNonRoot
• spec.ephemeralContainers[*].securityContext.runAsNonRoot

Privilege escalation

A container can be explicitly configured to allow privilege escalation on execution. This permits a process created within the container by executing a set-user-id, set-group-id, or file capability executable to gain the privileges specified by the executable. The lack of preventive security control increases the risk of container escape.

• spec.containers[*].securityContext.allowPrivilegeEscalation
• spec.initContainers[*].securityContext.allowPrivilegeEscalation
• spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation

Unconfined AppArmor profile

A container can be explicitly configured to be unconfined by AppArmor. This ensures that no AppArmor profile is applied to the container and is thus not constrained by them. The disabled preventive security control increases the risk of container escape.