This product is not supported for your selected
Datadog site. (
).
Id: a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9
Cloud Provider: Kubernetes
Platform: Terraform
Severity: High
Category: Insecure Configurations
Learn More
Description
Pods must not be allowed to run as privileged.
The spec.privileged field on kubernetes_pod_security_policy resources must be set to false.
If spec.privileged is not false, this rule reports an IncorrectValue issue and recommends replacing the current value with false.
Compliant Code Examples
resource "kubernetes_pod_security_policy" "example2" {
metadata {
name = "terraform-example"
}
spec {
privileged = false
allow_privilege_escalation = false
volumes = [
"configMap",
"emptyDir",
"projected",
"secret",
"downwardAPI",
"persistentVolumeClaim",
]
run_as_user {
rule = "MustRunAsNonRoot"
}
se_linux {
rule = "RunAsAny"
}
supplemental_groups {
rule = "MustRunAs"
range {
min = 1
max = 65535
}
}
fs_group {
rule = "MustRunAs"
range {
min = 1
max = 65535
}
}
read_only_root_filesystem = true
}
}
Non-Compliant Code Examples
resource "kubernetes_pod_security_policy" "example" {
metadata {
name = "terraform-example"
}
spec {
privileged = true
allow_privilege_escalation = false
volumes = [
"configMap",
"emptyDir",
"projected",
"secret",
"downwardAPI",
"persistentVolumeClaim",
]
run_as_user {
rule = "MustRunAsNonRoot"
}
se_linux {
rule = "RunAsAny"
}
supplemental_groups {
rule = "MustRunAs"
range {
min = 1
max = 65535
}
}
fs_group {
rule = "MustRunAs"
range {
min = 1
max = 65535
}
}
read_only_root_filesystem = true
}
}
