Fairwinds | Blog

How to Identify Over Permissioned Containers

Written by Joe Pelletier | Dec 14, 2020 2:43:44 PM

An over permissioned container has all the root capabilities of a host machine. The container can access resources which are not accessible in ordinary containers. While there may be some use cases for this, for example running a daemon inside a container, an over permissioned/privileged container breaks isolation. Instead of having a container be isolated from the host it is running, the container gains access to the host’s resources and devices. For the majority of containers, you want to avoid this so that containers cannot: 

  • Modify the host's filesystem

  • Control host processes

  • Grant permissions for host resource allocation

How to Identify Over Permissioned Containers

It takes time and resources to identify privileged containers in your Kubernetes clusters. Fairwinds Insights, a policy-driven configuration validation platform (community version is free to use) allows teams responsible for Kubernetes to identify privileged containers and also prevent privileged containers from being deployed in the first place. 

Fairwinds Insights community edition is free to use forever. Try the full edition for 30 days by signing up here. Test in GKE, AKS or EKS or run on a test cluster.

A SaaS solution, Fairwinds Insights automatically scans clusters to check for privileged containers. Your team saves time identifying and tracking the privileged containers and is able to use that time to remediate the problem. 

You can try it for free by creating an account, creating a cluster and installing the agent via the Helm chart.

Once the Fairwinds Insights agent is installed you’ll get results in 5-10 minutes. You can easily check for containers with the privileged field set, as well as other security events, such as writeable filesystems, containers processes running as root, and vulnerable images. 

Prevent Privileged Containers in the First Place

Fairwinds Insights is policy-driven. By using it throughout your deployment process, you can ensure that your policy-as-code (OPA policies) are enforced. You can use it: 

  • As a CI/CD hook, auditing Infrastructure-as-Code as part of the code review process

  • As an Admission Controller (aka Validating Webhook), which will stop problematic resources from entering the cluster

  • As an in-cluster agent, repeatedly scanning for problematic resources that have made it into the cluster

Fairwinds Insights can take the same OPA policies and federate them out to all three contexts, and to as many clusters as you’d like.

Interested in using Fairwinds Insights? It’s available for free! Learn more here.

Using Fairwinds Insights will dramatically reduce the risk of security incidents by scanning your configuration from CI/CD to production. The policy-driven configuration validation platform ensures that security best practices are followed organization-wide.