How does EchelonGraph detect Pod Security Standards PSS-AllowPrivilegeEscalation violations?

EchelonGraph automatically detects Pod Security Standards PSS-AllowPrivilegeEscalation violations using scanner rule PSS-010. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

🔒Pod Security Standards PSS-AllowPrivilegeEscalationRule: PSS-010high

allowPrivilegeEscalation false

Description

Restricted level requires allowPrivilegeEscalation:false on every container.

⚠️ Risk Impact

Allowing privilege escalation enables setuid binaries + capability escalation within container.

🔍 How EchelonGraph Detects This

PSS-010Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Set securityContext.allowPrivilegeEscalation:false on all containers.

💀 Real-World Attack Scenario

Container with allowPrivilegeEscalation:true ran setuid binary. Compromised, escalated to root within container despite non-root runAsUser.

💰 Cost of Non-Compliance

Container-escape: $4M+ avg.

📋 Audit Questions

1.allowPrivilegeEscalation:false on all containers?

🎯 MITRE ATT&CK Mapping

T1068 — Exploitation for Privilege Escalation

⚡ Common Pitfalls

⛔Default true left in place

📈 Business Value

Preventing privilege escalation limits container-escape probability.

⏱️ Effort Estimate

Manual

Per-deployment

With EchelonGraph

EchelonGraph enforces via PSS

🔗 Cross-Framework References

CIS-K8S-5.2.6

Automate Pod Security Standards PSS-AllowPrivilegeEscalation compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →