Difficulty: Intermediate
Estimated Time: 5 minutes

image

We are going to implement OPA policy for the situation when we need to make sure pod contains the security context with allowPrivilegeEscalation=true. This defaults to allowed so as to not break setuid binaries.

In this scenario,we learned allowPrivilegeEscalation security context of a container to be set to true always.

For more OPA Gatekeeper use-cases do check - https://cloudsecops.com/opa-gatekeeper

Allow "Privilege" Escalation

Step 1 of 4

Reason

Setting allowPrivilegeEscalation to false ensures that no child process of a container can gain more privileges than its parent. So we are making policy for ensuring allowance of privilege escalation.