id: k8s-allow-privilege-escalation-set

info:
  name: Containers run with allowPrivilegeEscalation enabled
  author: princechaddha
  severity: critical
  description: Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated
  impact: |
    Enabling allowPrivilegeEscalation in container deployments can result in elevated privileges, potentially allowing attackers to gain further access to host resources. This poses significant security risks.
  remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks
  reference:
    - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let container of template.items) {
    set("container", container)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[] | {pod: .metadata.name, containers: .spec.containers}'

javascript:
  - code: |
        let podData = JSON.parse(template.container);
        podData.containers.forEach(container => {
          if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) {
            let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`);
            Export(result);
          }
        });


    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022100b82b8a61d07a1fd3eb1d4c0e294e1c0ad03620d317280f0708493d3422a9654002207d8421e313c2d1eb9c5c6e0f5efc9193088d15ebe536aa77e70a0104ced336c4:922c64590222798bb761d5b6d8e72950