--- title: PSP allows privilege escalation description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PSP allows privilege escalation --- # PSP allows privilege escalation {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `2bff9906-4e9b-4f71-9346-8ebedfdf43ef` **Cloud Provider:** Kubernetes **Platform:** Terraform **Severity:** High **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation) ### Description{% #description %} `PodSecurityPolicy` should not allow privilege escalation. The `kubernetes_pod_security_policy` resource must include the `spec.allow_privilege_escalation` attribute and set it to `false`. If `spec.allow_privilege_escalation` is missing or set to `true`, this rule reports a `MissingAttribute` or `IncorrectValue` issue and recommends setting `spec.allow_privilege_escalation = false` as the remediation. The rule inspects `resource.kubernetes_pod_security_policy[name].spec` to determine the presence and value of `allow_privilege_escalation`. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "kubernetes_pod_security_policy" "example2" { metadata { name = "terraform-example" } spec { privileged = false allow_privilege_escalation = false volumes = [ "configMap", "emptyDir", "projected", "secret", "downwardAPI", "persistentVolumeClaim", ] run_as_user { rule = "MustRunAsNonRoot" } se_linux { rule = "RunAsAny" } supplemental_groups { rule = "MustRunAs" range { min = 1 max = 65535 } } fs_group { rule = "MustRunAs" range { min = 1 max = 65535 } } read_only_root_filesystem = true } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "kubernetes_pod_security_policy" "example" { metadata { name = "terraform-example" } spec { privileged = false allow_privilege_escalation = true volumes = [ "configMap", "emptyDir", "projected", "secret", "downwardAPI", "persistentVolumeClaim", ] run_as_user { rule = "MustRunAsNonRoot" } se_linux { rule = "RunAsAny" } supplemental_groups { rule = "MustRunAs" range { min = 1 max = 65535 } } fs_group { rule = "MustRunAs" range { min = 1 max = 65535 } } read_only_root_filesystem = true } } resource "kubernetes_pod_security_policy" "example2" { metadata { name = "terraform-example" } spec { privileged = false volumes = [ "configMap", "emptyDir", "projected", "secret", "downwardAPI", "persistentVolumeClaim", ] run_as_user { rule = "MustRunAsNonRoot" } se_linux { rule = "RunAsAny" } supplemental_groups { rule = "MustRunAs" range { min = 1 max = 65535 } } fs_group { rule = "MustRunAs" range { min = 1 max = 65535 } } read_only_root_filesystem = true } } ```