F-2025-0009·configuration

Missing Kubernetes security controls risk container escape

Acknowledgedtypescriptwidgetrouter-api
TL;DR

Kubernetes manifests did not set the standard `securityContext` controls (runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities), increasing the blast radius of any container compromise.

Severity
LOW
Impact
MEDIUM
Likelihood
LOW
Method
MManual review
CAT.
Complexity
MEDIUM
Exploitability
LOW
02Section · Description

Description

The Kubernetes manifests did not include hardened securityContext settings: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, capability drops, and seccomp profiles were not configured. A compromised container would have more permissions than necessary.

03Section · Recommendation

Recommendation

Add securityContext to all pods and containers: runAsNonRoot: true, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, drop ALL capabilities and re-add only the ones required, and apply a RuntimeDefault seccomp profile.

Initia: Acknowledged. Pashov Audit Group: Acknowledged.

ZEALYNX SECURITY · published 2025-06-23
F-2025-0009