Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Minimize Admission of Privileged Containers

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that containers are prohibited from being admitted if they have "securityContext.privileged" set to true. The "securityContext.privileged" flag should be restricted because it gives the container nearly all the capabilities of the host machine's root user.

Security

When a container is run with securityContext.privileged: true, it essentially disables the security isolation that is the foundation of container technology. This flag bypasses most Linux kernel security mechanisms, including AppArmor, SELinux, and Seccomp profiles, that would normally restrict the container's actions.

Audit

To determine if the containers are permitted to operate with the "securityContext.privileged" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the following command to list the names of all Pods across all namespaces and filter the command output for containers with "securityContext.privileged" flag set to true:

    kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.spec.containers[].securityContext.privileged == true) | .metadata.name'

  10. The command output should return a list where each line is the name of a Pod that is running with privileged access (root access to the node's devices and kernel capabilities) within your OKE cluster:

    dev/canal-abcd1234
dev/proxymux-client-abc123
dev/monitoring-agent-abc
dev/kube-proxy-123abc

    If the command output returns one or more results, it indicates that Pods are running within the selected OKE cluster that violate the security restriction against running privileged containers (i.e., containers are permitted to run with securityContext.privileged: true).

Remediation / Resolution

To ensure that containers are not permitted to run with the "securityContext.privileged" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the kubectl get namespaces command to identify your Kubernetes user-workload namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  10. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your implementation:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
dev                  Active   16d
staging              Active   16d
prod                 Active   16d

  11. The Restricted Pod Security Standard (PSS) profiles, when enforced at the namespace level, disallow the use of securityContext.privileged: true. To restrict the admission of privileged containers, run the kubectl label command for each Kubernetes user-workload namespace where enforcement is desired. This command applies the appropriate security policy. By using a label such as pod-security.kubernetes.io/enforce=restricted, you instruct the Kubernetes API server that any new Pod in that namespace must comply with the Restricted security policy. Once this enforcement label is applied, the API server will reject any Pod creation request in that namespace if a container's security context explicitly sets securityContext.privileged: true. Replace \<user-workload-namespace\> with the name of your own namespace:

    kubectl label --overwrite ns <user-workload-namespace> pod-security.kubernetes.io/enforce=restricted

  12. The command output should return the name of the labeled user-workload-namespace:

    namespace/<user-workload-namespace> labeled

References

Publication date Dec 11, 2025

Related OCI-OKE rules