Lateral movement

Controller creating containers that are running as root or have the option to run as root


When assessing which user the controller allows its containers to run as, there are 3 parameters: 1. RunAsUser - define the UID of the container. 2. RunAsGroup - define the GID of the container. 3. RunAsNonRoot - preform a kubelet validation at run-time to ensure a container doesn't run as root. There are 2 ways to define these parameters: in the ContainerSecurityContext or in the PodSecurityContext. The value specified in ContainerSecurityContext takes precedence over PodSecurityContext. Orca has detected that the controller {K8sController} is creating pods that create containers that run or can run as root. An attacker can use the controllers' containers and gain higher privileges on the node, possibly allowing a cluster-takeover.
  • Recommended Mitigation

    Consider disabling or changing the value of the following attributes in the container: RunAsUser, RunAsGroup and RunAsNonRoot. Alternatively, have a PodSecurityPolicy in place to prevent the creating of this kind of containers.