Files
T

1.2 KiB

API Reference: Detecting Privilege Escalation in Kubernetes Pods

Security Context Checks

Check Risk Description
privileged: true CRITICAL Full host access
allowPrivilegeEscalation HIGH setuid escalation
runAsUser: 0 HIGH Running as root
hostPID: true CRITICAL Host PID namespace
hostNetwork: true HIGH Host network access

Dangerous Capabilities

Capability Risk
SYS_ADMIN Container escape
SYS_PTRACE Process debugging
SYS_MODULE Kernel module loading
NET_ADMIN Network manipulation

kubectl Audit Commands

kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
kubectl auth can-i --list --as=system:serviceaccount:ns:sa

Pod Security Standards

apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/enforce: restricted

Falco Rules

- rule: Pod with Privileged Container
  condition: kevt and kcreate and container.privileged=true
  priority: CRITICAL

CLI Usage

python agent.py --namespace default
python agent.py --json-file pods.json