Authorization bypass due to missing securityContext in Kubernetes workload spec

High Risk infrastructure-security

kubernetessecurity-contextauthorization-bypassdefault-securityprivilege-escalationcontainer-securitypod-security

What it is

Kubernetes pods and containers deployed without explicit securityContext configuration inherit insecure defaults including root user execution, privilege escalation permissions, broad Linux capabilities, writable root filesystems, and unconfined security profiles. This creates multiple attack vectors for container escape, privilege escalation, and lateral movement.

Language:

# VULNERABLE: Pod without any security context
apiVersion: v1
kind: Pod
metadata:
  name: vulnerable-pod
spec:
  # VULNERABLE: No securityContext defined
  containers:
  - name: app
    image: app:v1.0.0
    # VULNERABLE: No container-level securityContext

# VULNERABLE: Deployment with minimal security
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vulnerable-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: vulnerable-app
  template:
    metadata:
      labels:
        app: vulnerable-app
    spec:
      # VULNERABLE: Missing pod-level securityContext
      containers:
      - name: web-server
        image: nginx:latest
        # VULNERABLE: No container securityContext
        ports:
        - containerPort: 80

# SECURE: Pod with security context
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  # SECURE: Pod-level security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
  containers:
  - name: app
    image: app:v1.0.0
    # SECURE: Container-level security context
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      capabilities:
        drop: ["ALL"]

# SECURE: Deployment with security configuration
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: secure-app
  template:
    metadata:
      labels:
        app: secure-app
    spec:
      # SECURE: Pod security context
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
      containers:
      - name: web-server
        image: nginx:latest
        # SECURE: Container security context
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          capabilities:
            drop: ["ALL"]
        ports:
        - containerPort: 80

💡 Why This Fix Works

Why it happens

Kubernetes workloads are deployed without defining securityContext at pod or container level, causing them to inherit insecure default settings that enable root execution and privilege escalation.

Root causes

Missing Security Context Configuration

Kubernetes workloads are deployed without defining securityContext at pod or container level, causing them to inherit insecure default settings that enable root execution and privilege escalation.

Lack of Security Awareness

Development teams deploy applications without understanding Kubernetes security defaults, assuming containers are secure by default without implementing explicit security controls.

Fixes

Define Comprehensive Security Context

Configure securityContext at both pod and container levels with runAsNonRoot, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, and drop all capabilities except those specifically required.

Implement Pod Security Standards

Deploy Pod Security Admission controllers with 'restricted' policy to automatically enforce security context requirements and prevent insecure pod deployments.

Use Security Policy Engines

Implement OPA Gatekeeper or Kyverno policies to automatically validate and enforce security context configuration across all workloads in the cluster.

Detect This Vulnerability in Your Code

Sourcery automatically identifies authorization bypass due to missing securitycontext in kubernetes workload spec and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

Authorization bypass due to missing securityContext in Kubernetes workload spec

What it is

💡 Why This Fix Works

Why it happens

Root causes

Missing Security Context Configuration

Lack of Security Awareness

Fixes

Define Comprehensive Security Context

Implement Pod Security Standards

Use Security Policy Engines

Authorization bypass via AllowPrivilegeEscalation true in Kubernetes Pod securityContext

Writable Container Root Filesystem in Kubernetes

Remote code execution (RCE) due to root containers in Kubernetes workloads

Detect This Vulnerability in Your Code

Authorization bypass due to missing securityContext in Kubernetes workload spec

What it is

💡 Why This Fix Works

Why it happens

Root causes

Missing Security Context Configuration

Lack of Security Awareness

Fixes

Define Comprehensive Security Context

Implement Pod Security Standards

Use Security Policy Engines

Related Vulnerabilities

Authorization bypass via AllowPrivilegeEscalation true in Kubernetes Pod securityContext

Writable Container Root Filesystem in Kubernetes

Remote code execution (RCE) due to root containers in Kubernetes workloads

Detect This Vulnerability in Your Code