Add "–no-new-privileges" flag

Always run your docker images with "--security-opt=no-new-privileges" to prevent escalate privileges using setuid or setgid binaries.

In kubernetes, this can be configured in Security Context using allowPrivilegeEscalation field e.g.:

Copy

kind: ... 
apiVersion: ... 
metadata: 
  name: ... 
spec: 
...
  containers: 
  - name: ... 
    image: .... 
    securityContext: 
...
          allowPrivilegeEscalation: false 
...

As a Kubernetes cluster administrator, you can refer to Kubernetes documentation to configure it using Pod Security Policies.