Kubernetes and Cloud Native Security Associate (KCSA)

Kubernetes Threat Model

Privilege Escalation

Privilege escalation allows a non-root user to perform tasks requiring superuser rights. Instead of enabling direct root logins—which poses security risks—you can delegate specific commands to trusted users via sudo. This approach enforces the principle of least privilege and keeps your system secure.

Why Use sudo?

  • Grants temporary elevated rights without sharing the root password
  • Provides an audit trail of executed commands
  • Limits users to only the commands they need

Attempting a Restricted Operation

Without sudo, installing packages fails:

$ apt install nginx
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?

Elevate with sudo

Prepend sudo, authenticate with your own password, and the command succeeds:

$ sudo apt install nginx
[sudo] password for michael: 

Note

If you see User michael is not in the sudoers file, add your user to the sudo group or update /etc/sudoers accordingly.

Configuring sudo: /etc/sudoers

All sudo policies live in /etc/sudoers and included files under /etc/sudoers.d/. Always edit with visudo to prevent syntax errors:

sudo visudo

Here’s a sample excerpt:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin  ALL=(ALL)       ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL)   ALL

# Allow mark to run any command
mark    ALL=(ALL:ALL)   ALL

# Allow sarah to reboot the system
sarah   localhost=/usr/bin/shutdown -r now

# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
FieldDescriptionExample
User or GroupUsername (e.g., mark) or group (%sudo)%admin
Host(s)Hosts where the rule applies (usually ALL)localhost
Run-As SpecificationUser and group for command execution (in ( and ))(ALL:ALL)
CommandsAllowed commands or ALL for full rights/usr/bin/shutdown -r now
CommentsLines beginning with # are ignored# User privilege specification

Warning

Never edit /etc/sudoers with a regular text editor. Syntax errors can lock out all sudo access. Always use visudo.

Best Practices for sudo Configuration

  • Grant only the commands necessary for a task
  • Use group-based rules to simplify management
  • Avoid NOPASSWD unless automation requires it
  • Keep custom rules in /etc/sudoers.d/ for modularity

Hands-On Exercises

  1. Create a test user:
    sudo useradd -m bob
    sudo passwd bob
    
  2. Add the user to the sudo group:
    sudo usermod -aG sudo bob
    
  3. Switch to bob and install a package:
    su - bob
    sudo apt update && sudo apt install htop
    
  4. Customize a rule in /etc/sudoers.d/custom_rules to allow bob to restart services without a password.

Watch Video

Watch video content

Previous
Access to Sensitive Data