2.1.1 Ensure that the --allow-privileged argument is set to false

Information

Do not allow privileged containers.

Rationale:

The privileged container has all the system capabilities, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker and hence should be avoided for production workloads.

Solution

Edit the `/etc/kubernetes/config` file on each node and set the `KUBE_ALLOW_PRIV` parameter to `'--allow-privileged=false'`: `KUBE_ALLOW_PRIV='--allow-privileged=false'`

Based on your system, restart the `kubelet` service. For example: `systemctl restart kubelet.service`

Impact:

You will not be able to run any privileged containers.

Note: A number of components used by Kubernetes clusters currently make use of privileged containers (e.g. Container Network Interface plugins). Care should be taken in ensuring that the use of such plugins is minimized and in particular any use of privileged containers outside of the kube-system namespace should be scrutinized. Where possible, review the rights required by such plugins to determine if a more fine grained permission set can be applied.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5.1

Plugin: Unix

Control ID: b8edc2a2f7b81405204b40e2dd789f223d9520b08d169add297a532df981bede