← all rules

iac/kubernetes/k8s-privileged-container

Privileged container

highKubernetesiac-kubernetes

What it detects

`privileged: true` disables almost all container isolation — the process gets nearly all host capabilities and can access host devices. A compromise of the container is effectively a compromise of the node.

Remediation

Remove `privileged: true`. Grant only the specific capabilities the workload needs via `securityContext.capabilities.add`.

How it runs

Run against YAML files that look like Kubernetes manifests (top-level `apiVersion:` + `kind:`). Line-based checks across multi-document files; Helm-templated lines are skipped.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.