Details
-
Enhancement
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
---
-
---
-
2022 Week 38-40 (from Sept 19), 2022 Week 41-43 (from Oct 10)
Description
Kubernetes by default doesn't apply any Seccomp or AppArmor/SELinux profile restrictions when the
pod is scheduled to run.
Hence, such a pod by default gets free access to dangerous system calls that allow it to escalate
privileges and gain necessary capabilities such as CAP_SYS_ADMIN for further attack.
Steps to Reproduce:Exec into the pod and notice that pod doesn't have CAP_SYS_ADMIN privileges assigned
2. Make unshare system call 'unshare -Urm'
3. Below screenshot shows that the pod has gained CAP_SYS_ADMIN privileges after the use of
unshare.
