What is it?
The Horusec-Kubernetes is a SAST tool created by the Horusec team in order to search vulnerabilities in projects that use kubernetes .yaml files.
Allow Privilege Escalation
Privileged containers share namespaces with the host system, eschew cgroup restrictions, and do not offer any security. They should be used exclusively as a bundling and distribution mechanism for the code in the container, and not for isolation.
Managing /etc/hosts aliases can prevent the container from modifying the file after a pod’s containers have already been started. DNS should be managed by the orchestrator.
Mounting the docker.socket leaks information about other containers and can allow container breakout.
Capability System Admin
CAP_SYS_ADMIN is the most privileged capability and should always be avoided.
Privileged containers can allow almost completely unrestricted host access.
Unconfined Seccomp profiles have full system call access.
Sharing the host’s IPC namespace allows container processes to communicate with processes on the host.
Sharing the host’s PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration.
Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.