Lateral movement

Controller creating containers that are running as root or have the option to run as root

Platform(s)

  • Non-platform specific

Compliance Frameworks

AKS CIS, Brazilian General Data Protection (LGPD), CCPA, CPRA, EKS CIS, essential_8_au, GDPR, GKE CIS, iso_27001_2022, iso_27002_2022, K8s CIS, K8s OWASP Top 10, New Zealand Information Security Manual, NIST 800-171, NIST 800-190, NIST 800-53, PDPA, pipeda, UK Cyber Essentials

Description

When assessing which user the controller allows its containers to run as, there are 3 parameters: 1. RunAsUser - define the UID of the container. 2. RunAsGroup - define the GID of the container. 3. RunAsNonRoot - preform a kubelet validation at run-time to ensure a container doesn't run as root. There are 2 ways to define these parameters: in the ContainerSecurityContext or in the PodSecurityContext. The value specified in ContainerSecurityContext takes precedence over PodSecurityContext. Orca has detected that the controller {K8sController} is creating pods that create containers that run or can run as root. An attacker can use the controllers' containers and gain higher privileges on the node, possibly allowing a cluster-takeover.
Need help?

Get a free Security Risk Assessment. Start today

A screenshot of the Orca platform dashboard summarizing all of your cloud security risks

Personalized Demo

See Orca Security in Action

Gain visibility, achieve compliance, and prioritize risks with the Orca Cloud Security Platform.

Get a Demo