2.1.1 Ensure that the --allow-privileged argument is set to false

Information

Do not allow privileged containers.

Rationale:

The privileged container has all the system capabilities, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker and hence should be avoided for production workloads.

Solution

Edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf' on each worker node and set the below parameter in 'KUBELET_SYSTEM_PODS_ARGS' variable.

--allow-privileged=false

Based on your system, restart the 'kubelet' service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Impact:

You will not be able to run any privileged containers.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5.1

Plugin: Unix

Control ID: b69bac599c5628c655848d9bdf48e9d16349e0a502764a7fa28e7a8d7ecb71cf