Setting AllowPrivilegeEscalation:false

11/11/2020

I want to set AllowPrivilegeEscalation to false in a nonprivileged container but running with CAP_SYS_ADMIN capability. As per docs "AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN." . In this case it will be set to true or false ?

-- sacboy
kubernetes

1 Answer

11/12/2020

As you already found in the docs:

AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the no_new_privs flag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN.

In your case the container has CAP_SYS_ADMIN so it would have the AllowPrivilegeEscalation set to true.

This behavior is also explained in more detail in the AllowPrivilegeEscalation design document.

-- WytrzymaƂy Wiktor
Source: StackOverflow