Running containers in privileged mode can reduce the resilience of a cluster in the event of a security incident because it weakens the isolation
between hosts and containers.
Process permissions in privileged containers are essentially the same as root permissions on the host. If these processes are not protected by
robust security measures, an attacker who compromises this container might be able to compromise the host as well. From this point, they are likely to
gain the ability to move even further to other managed nodes.
Ask Yourself Whether
- The services of this container are accessible to people who are not administrators of the managed nodes.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Disable privileged mode.
Sensitive Code Example
- name: Example playbook
hosts: server
tasks:
- name: Run container
community.docker.docker_container:
name: container
image: ubuntu:22.04
privileged: true # Sensitive
Compliant Solution
- name: Example playbook
hosts: server
tasks:
- name: Run container
community.docker.docker_container:
name: container
image: ubuntu:22.04
See
