Note that in kubernetes, setting `allowPrivilegeEscalation` to false (which you ...

j16sdiz · 2026-04-30T13:52:01 1777557121

according to this reddit post https://www.reddit.com/r/kubernetes/comments/1szn6p1/comment...?

> the primary mitigation is still patching the node kernel; user namespaces are blast-radius reduction, not a complete mitigation for this path

parliament32 · 2026-04-30T14:23:48 1777559028

allowPrivilegeEscalation is unrelated to user namespaces. Many vendors do not yet have kernel patches available, but yes that'll eventually be the proper fix.

TZubiri · 2026-04-30T14:30:29 1777559429

They have a setting for that?

That's crazy, feels like prompting "make no mistakes" to the llm.

If it works, when would you want it turned on? Why isn't false the default

parliament32 · 2026-04-30T14:37:21 1777559841

Because it would break all setuid binaries? Same reason the Linux kernel doesn't set no_new_privs (https://docs.kernel.org/userspace-api/no_new_privs.html) by default.

As an operator you are responsible for configuring your environment correctly. I would recommend starting here: https://kubernetes.io/docs/concepts/security/

TZubiri · 2026-04-30T14:52:08 1777560728

https://kubernetes.io/docs/concepts/security/pod-security-st...

Relevant section

stratos123 · 2026-04-30T15:01:05 1777561265

It's equivalent to setting no_new_privs on the container process, so it'd mean you have to grant a privelege to the container process if you want any children to have access to it. It sure sounds funny in a CVE context, though.