Home / BeaverDeck / Docs / Insights Guide / Security Insights / Pod Privileges

Pod Privileges

BeaverDeck uses this check to identify a specific security condition that may need operator review.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Check type	`pod-privileged`
Insights section	Security Insights
Alert severity	Warning

When It Reports A Finding

An active Pod uses hostNetwork, hostPID, or hostIPC, or an init/application container is privileged or explicitly allows privilege escalation.

Why This Is A Problem

These settings weaken workload isolation and can increase the impact of a container compromise on the node or other workloads.

Recommended Response

Confirm which listed privilege is required by the workload and document the reason.
Remove host namespace access and privileged mode where possible, and set allowPrivilegeEscalation: false.
Use the minimum capabilities, mounts, and service account permissions needed, then enforce the intended Pod Security policy.

Scope And Limitations

Some networking, storage, and node agents legitimately need elevated access. The check does not cover every securityContext risk, capability, hostPath, or service account permission.

After remediation: refresh Security Insights and verify the underlying resource or metric. Suppress the finding only when the condition is intentional and its risk is accepted.