An over permissioned container has all the root capabilities of a host machine. The container can access resources which are not accessible in ordinary containers. While there may be some use cases for this, for example running a daemon inside a container, an over permissioned/privileged container breaks isolation. Instead of having a container be isolated from the host it is running, the container gains access to the host’s resources and devices. For the majority of containers, you want to avoid this so that containers cannot:
Modify the host's filesystem
Control host processes
Grant permissions for host resource allocation
How to Identify Over Permissioned Containers
It takes time and resources to identify privileged containers in your Kubernetes clusters. Fairwinds Insights, a policy-driven configuration validation platform (community version is free to use) allows teams responsible for Kubernetes to identify privileged containers and also prevent privileged containers from being deployed in the first place.
Fairwinds Insights community edition is free to use forever. Try the full edition for 30 days by signing up here. Test in GKE, AKS or EKS or run on a test cluster.
A SaaS solution, Fairwinds Insights automatically scans clusters to check for privileged containers. Your team saves time identifying and tracking the privileged containers and is able to use that time to remediate the problem.
Once the Fairwinds Insights agent is installed you’ll get results in 5-10 minutes. You can easily check for containers with the privileged field set, as well as other security events, such as writeable filesystems, containers processes running as root, and vulnerable images.
Prevent Privileged Containers in the First Place
Fairwinds Insights is policy-driven. By using it throughout your deployment process, you can ensure that your policy-as-code (OPA policies) are enforced. You can use it:
As a CI/CD hook, auditing Infrastructure-as-Code as part of the code review process
As an Admission Controller (aka Validating Webhook), which will stop problematic resources from entering the cluster
As an in-cluster agent, repeatedly scanning for problematic resources that have made it into the cluster
Fairwinds Insights can take the same OPA policies and federate them out to all three contexts, and to as many clusters as you’d like.
Using Fairwinds Insights will dramatically reduce the risk of security incidents by scanning your configuration from CI/CD to production. The policy-driven configuration validation platform ensures that security best practices are followed organization-wide.