This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: dd29336b-fe57-445b-a26e-e6aa867ae609
Cloud Provider: k8s
Framework: Kubernetes
Severity: High
Category: Insecure Configurations
Learn More
Description
Privileged containers lack essential security restrictions and should be avoided by removing the privileged flag or setting it to false.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
Non-Compliant Code Examples
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
labels:
app: test
spec:
replicas: 3
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
securityContext:
privileged: true
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-5
spec:
initContainers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
