Cyscale
Back to controls

Minimize the admission of containers with allowPrivilegeEscalation

Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set

Category

Controls

Medium

Applies to

Kubernetes

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Do not generally permit containers to be run with the allowPrivilegeEscalation flag set to true. Allowing this right can lead to a process running a container getting more rights than it started with.

It's important to note that these rights are still constrained by the overall container sandbox, and this setting does not relate to the use of privileged containers.

Rationale

A container running with the allowPrivilegeEscalation flag set to true may have processes that can gain more privileges than their parent.

There should be at least one admission control policy defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run.

If you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate policy and you should carefully check to ensure that only limited service accounts and users are given permission to use that policy.

Impact

Pods defined with spec.allowPrivilegeEscalation: true will not be permitted unless they are run under a specific policy.

Audit

List the policies in use for each namespace in the cluster, ensure that each policy disallows the admission of containers which allow privilege escalation.

Remediation guidance

Add policies to each namespace in the cluster which has user workloads to restrict the admission of conatiners with .spec.allowPrivilegeEscalationset to true.

Default Value

By default, there are no restrictions on contained process ability to escalate privileges, within the context of the container.

References

  1. https://kubernetes.io/docs/concepts/security/pod-security-standards/

Multiple Remediation Paths

SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.

ASSET-LEVEL: Fix only the affected resources identified by this control.

PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.

References for Service-Wide Patterns

  • Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.

Query logic

These are the stored checks tied to this control.

Minimize the admission of containers with allowPrivilegeEscalation (Pod)

Connectors

Kubernetes

Covered asset types

KubernetesPod

Expected check: eq []

{
  pods(where:{containers_SOME:{securityContext:{allowPrivilegeEscalation: true }}}){
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon