rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# RSTR-IAC-007 — `privileged: true` container

## Summary

A Kubernetes PodSpec sets `securityContext.privileged: true` (or a
container-level `securityContext.privileged: true`). A privileged
container runs with the same effective capabilities as the host
kernel: it can mount any filesystem, load kernel modules, talk to
all devices under `/dev`, and reach into other containers' cgroups.

`privileged: true` is the kubernetes-equivalent of `--privileged`
on a Docker run, and the same caveat applies: it is rarely the
right answer, and when it is (host-level monitoring agent, CNI
plugin, low-level GPU bring-up), the workload should be carved off
into a dedicated node pool with its own RBAC.

## Severity

`High`.

## Languages

Kubernetes YAML manifests (`Pod`, `Deployment`, `StatefulSet`,
`DaemonSet`, `Job`, `CronJob`, `ReplicaSet`,
`ReplicationController`).

## What rastray flags

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: app
      image: app:1.0
      securityContext:
        privileged: true              # ← flagged
```

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: agent
spec:
  template:
    spec:
      containers:
        - name: agent
          image: agent:1.0
          securityContext:
            privileged: true          # ← flagged
```

## What rastray deliberately does *not* flag

- `privileged: false` (the default; explicit-false is a good signal
  in policy-as-code).
- `allowPrivilegeEscalation: true` — separate concern, handled by
  policy admission controllers.

## How to fix it

Drop the `privileged: true` and request only the specific Linux
capabilities you actually need:

```yaml
securityContext:
  capabilities:
    drop: ["ALL"]
    add: ["NET_BIND_SERVICE"]        # only what you need
  allowPrivilegeEscalation: false
  runAsNonRoot: true
```

If the workload genuinely needs host-level access (CSI driver,
node-exporter, low-level networking), keep it on a dedicated node
pool with PSA `restricted` enforcement on every other namespace,
and review the pod spec at every release.

## References

- [Kubernetes — Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
- [Kubernetes — Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- [CWE-250](https://cwe.mitre.org/data/definitions/250.html)