Information
Do not allow privileged containers.
Rationale:
The privileged container has all the system capabilities, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker and hence should be avoided for production workloads.
Solution
Edit the `/etc/kubernetes/config` file on each node and set the `KUBE_ALLOW_PRIV` parameter to `'--allow-privileged=false'`: `KUBE_ALLOW_PRIV='--allow-privileged=false'`
Based on your system, restart the `kubelet` service. For example: `systemctl restart kubelet.service`
Impact:
You will not be able to run any privileged containers.
Note: A number of components used by Kubernetes clusters currently make use of privileged containers (e.g. Container Network Interface plugins). Care should be taken in ensuring that the use of such plugins is minimized and in particular any use of privileged containers outside of the kube-system namespace should be scrutinized. Where possible, review the rights required by such plugins to determine if a more fine grained permission set can be applied.