Kubernetes Pod Security Context Misconfigurations

High Risk Container Security
kubernetespod-securitycontainersprivilege-escalationsecurity-contextcapabilities

What it is

Kubernetes pods deployed without proper security context configurations, allowing containers to run with excessive privileges, as root user, or with dangerous capabilities. These misconfigurations can lead to container escape, privilege escalation, and compromise of the underlying node and cluster.

# VULNERABLE: Pod without security context
apiVersion: v1
kind: Pod
metadata:
  name: webapp
  namespace: production
spec:
  containers:
  - name: nginx
    image: nginx:latest
    ports:
    - containerPort: 80
# SECURE: Pod with proper security context
apiVersion: v1
kind: Pod
metadata:
  name: webapp
  namespace: production
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
  containers:
  - name: nginx
    image: nginx:latest
    ports:
    - containerPort: 8080
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
    volumeMounts:
    - name: cache
      mountPath: /var/cache/nginx
    - name: run
      mountPath: /var/run
  volumes:
  - name: cache
    emptyDir: {}
  - name: run
    emptyDir: {}

💡 Why This Fix Works

The vulnerable pod runs without security context, defaulting to root user with all capabilities and writable filesystem. The secure version enforces non-root execution, drops all capabilities, uses read-only root filesystem, and prevents privilege escalation.

Why it happens

Deploying containers that run as the root user (UID 0) without proper justification, violating the principle of least privilege

Root causes

Running Containers as Root

Deploying containers that run as the root user (UID 0) without proper justification, violating the principle of least privilege

Excessive Linux Capabilities

Granting unnecessary Linux capabilities to containers or failing to drop default capabilities that are not required

Privileged Container Mode

Running containers in privileged mode, which grants access to all host devices and bypasses security mechanisms

Writable Root Filesystem

Allowing containers to write to the root filesystem instead of using read-only filesystems with specific writable volumes

Fixes

1

Implement Non-Root Security Context

Configure pods to run as non-root users with specific UID/GID assignments and prevent privilege escalation

2

Use Read-Only Root Filesystem

Set readOnlyRootFilesystem to true and provide specific writable volumes only where necessary

3

Drop Unnecessary Capabilities

Drop all Linux capabilities by default and only add specific capabilities required for application functionality

4

Enforce Pod Security Standards

Implement Pod Security Standards (PSS) or Pod Security Policies to automatically enforce security context requirements

Detect This Vulnerability in Your Code

Sourcery automatically identifies kubernetes pod security context misconfigurations and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities