Terraform Allow Privilege Escalation Enabled
Description
Detects Kubernetes container configurations that allow privilege escalation, which enables containers to gain additional privileges at runtime. This poses a security risk as containers could escalate their permissions beyond their intended scope, potentially compromising the host system and other containers.
Detection Strategy
• Analyzes Kubernetes resource files (like Deployments, StatefulSets, etc.) that define container configurations
• Examines the container security context settings within pod specifications
• Reports a vulnerability when allowPrivilegeEscalation is explicitly set to true or when security context is missing (defaults to true)
• Checks container configurations at all supported resource levels including Pod specs, container definitions, and security contexts
Vulnerable code example
resource "kubernetes_pod_v1" "vulnerable_pod" {
metadata {
name = "vulnerable-pod"
}
spec {
container {
name = "unsafe-container"
image = "nginx"...✅ Secure code example
resource "kubernetes_pod_v1" "secure_pod" {
metadata {
name = "secure-pod"
labels = {
app = "web"
}
}
spec {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.