opendesk/docs/security/sec-ctx/sec-ctx.md

Pod & Container Security Context

ID	Description	References
SEC-CTX-001	Pods must run non privileged only to prevent excessive rights and to make persistence and further escalation more difficult.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-002	All Containers of a pod (containers, Init-Containers and Epehmeral-Containers) must run as non-root user (runAsNonRoot) to make persistence and further escalation more difficult. Given a justification and only if the necessary containers of the pod set this setting to false, while all other containers keep this setting set to true, this requirement may be violated.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-003	All containers of a pod (containers, init-containers and ephemeral-containers) must not explicitly set runAsUser to 0 (root). The runAsUser field must either be undefined/null or set to a non-zero UID to ensure containers run with non-root privileges and reduce the risk of privilege escalation attacks.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-004	All containers of a pod (containers, init-containers and ephemeral-containers) must drop ALL capabilities and may only add back the NET_BIND_SERVICE capability to follow the principle of least privilege and minimize the attack surface. This supports preventing containers from performing privileged system operations that could lead to container escape or host compromise. Given a justification, it is tolerated to add back the followingcapabilities: AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-005	All containers of a pod (containers, init-containers and ephemeral-containers) must have a Seccomp profile explicitly set to either RuntimeDefault or Localhost to restrict system calls and reduce the kernel attack surface. The Unconfined profile and absence of a profile are prohibited. Container-level seccompProfile.type fields may be undefined only if the pod-level seccompProfile.type is set appropriately, and conversely, the pod-level field may be undefined only if all container-level fields are set.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-006	Pods must only use sysctls from an allowed safe list that are namespaced and isolated from other pods and processes on the same node. Only the following sysctls are permitted: kernel.shm_rmid_forced, net.ipv4.ip_local_port_range, net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies, net.ipv4.ping_group_range, net.ipv4.ip_local_reserved_ports, net.ipv4.tcp_keepalive_time, net.ipv4.tcp_fin_timeout, net.ipv4.tcp_keepalive_intvl, and net.ipv4.tcp_keepalive_probes. All other sysctls are prohibited as they can disable security mechanisms or affect all containers on the host.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-007	On AppArmor-supported hosts, all containers of a pod (containers, init-containers and ephemeral-containers) must use the RuntimeDefault AppArmor profile or a locally defined profile (Localhost). The Unconfined profile is prohibited. Containers may only override the default AppArmor profile with RuntimeDefault or Localhost profiles. Undefined/nil values are permitted to inherit the runtime’s default behavior.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-008	On SELinux-enabled hosts, all containers of a pod (containers, init-containers and ephemeral-containers) must only use approved SELinux types (container_t, container_init_t, container_kvm_t, or container_engine_t) and are prohibited from setting custom SELinux users or roles. The seLinux-Options.user and seLinuxOptions.role fields must remain undefined or empty to prevent privilege escalation through SELinux context manipulation. This ensures containers operate within predefined SELinux security boundaries.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-009	All containers of a pod (containers, init-containers and ephemeral-containers) must use the default /proc mount type with standard masking to reduce the kernel attack surface. The procMount field must be either undefined/nil or explicitly set to Default. The Unmasked option is prohibited to prevent containers from accessing sensitive kernel information through /proc that could be used for container escape or information disclosure attacks.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening
SEC-CTX-010	All containers of a pod (containers, init-containers and ephemeral-containers) must set allowPrivilegeEscalation to false to prevent privilege escalation through setuid or setgid binaries. This blocks containers from gaining more privileges than their parent process and prevents exploitation of setuid/setgid executables that could lead to container escape or unauthorized privilege elevation.	K8s-PSS, BSI-SYS-1-6, OWASP-K8s, NIST-SP, NSA-Hardening

Status

{{ .sec-ctx.status }}