allowPrivilegeEscalation false
Description
Container securityContext.allowPrivilegeEscalation should be false.
⚠️ Risk Impact
Allowing privilege escalation enables setuid binaries + capability escalation within the container. Combined with container escape, this enables host compromise.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Set securityContext.allowPrivilegeEscalation: false on all containers. Required for PSS Restricted.
💀 Real-World Attack Scenario
A container with allowPrivilegeEscalation:true ran an application with a setuid binary. Compromised, the attacker escalated to root within the container + exploited a kernel CVE for container escape.
💰 Cost of Non-Compliance
Container-escape: avg $4M+ breach.
📋 Audit Questions
- 1.allowPrivilegeEscalation false on containers?
- 2.PSS Restricted enforced?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
spec.containers[*].securityContext.allowPrivilegeEscalation = false⚡ Common Pitfalls
- ⛔Default true used for legacy compat
- ⛔PSS in audit-only mode
📈 Business Value
Preventing privilege escalation limits container-escape probability.
⏱️ Effort Estimate
Per-deployment update
EchelonGraph enforces via Kyverno/OPA
🔗 Cross-Framework References
Automate CIS Kubernetes 5.2.6 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →