---
title: Minimize the admission of privileged containers
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Minimize the admission of privileged
  containers
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Minimize the admission of privileged containers
 
## Description{% #description %}

Each AKS cluster should be covered by an enforced Azure Policy assignment that restricts privileged container admission, so pods cannot run containers, init containers, or ephemeral containers with `securityContext.privileged=true`. Privileged containers gain access to all Linux kernel capabilities and host devices, letting a compromised workload act with near host-level control.

This rule evaluates each `azure_aks_cluster` and passes only when an `azure_policy_assignment` for the built-in "Kubernetes cluster should not allow privileged containers" definition both covers the cluster's scope (the cluster resource, its resource group, or its subscription) and has its enforcement mode set to `Default`. A cluster with no covering enforced assignment fails. Management-group-scoped assignments are not evaluated.

## Remediation{% #remediation %}

Assign the built-in "Kubernetes cluster should not allow privileged containers" policy to each subscription or resource group hosting AKS workloads, and set the enforcement mode to `Default` so the deny effect is applied. See [Azure Policy for Kubernetes clusters](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes) for step-by-step guidance.

## References{% #references %}

- [Azure Policy built-in definitions for AKS](https://learn.microsoft.com/en-us/azure/aks/policy-reference)
- [Kubernetes Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/)
- [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
