MCPcopy
hub / github.com/zegl/kube-score / containerSecurityContextPrivileged

Function containerSecurityContextPrivileged

score/security/security.go:49–65  ·  view source on GitHub ↗

containerSecurityContextPrivileged checks for privileged containers

(ps ks.PodSpecer)

Source from the content-addressed store, hash-verified

47
48// containerSecurityContextPrivileged checks for privileged containers
49func containerSecurityContextPrivileged(ps ks.PodSpecer) (score scorecard.TestScore, err error) {
50 allContainers := ps.GetPodTemplateSpec().Spec.InitContainers
51 allContainers = append(allContainers, ps.GetPodTemplateSpec().Spec.Containers...)
52 hasPrivileged := false
53 for _, container := range allContainers {
54 if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged {
55 hasPrivileged = true
56 score.AddComment(container.Name, "The container is privileged", "Set securityContext.privileged to false. Privileged containers can access all devices on the host, and grants almost the same access as non-containerized processes on the host.")
57 }
58 }
59 if hasPrivileged {
60 score.Grade = scorecard.GradeCritical
61 } else {
62 score.Grade = scorecard.GradeAllOK
63 }
64 return
65}
66
67// containerSecurityContextUserGroupID checks that the user and group are valid ( > 10000) in the security context
68func containerSecurityContextUserGroupID(ps ks.PodSpecer) (score scorecard.TestScore, err error) {

Callers

nothing calls this directly

Calls 2

AddCommentMethod · 0.80
GetPodTemplateSpecMethod · 0.65

Tested by

no test coverage detected