Profile Applicability: Level 1
Do not generally permit containers to be run with the 
allowPrivilegeEscalation flag set to true. Allowing this right can lead to a process running a container getting more rights
               than it started with.It's important to note that these rights are still constrained by the overall container
               sandbox, and this setting does not relate to the use of privileged containers.
A container running with the 
allowPrivilegeEscalation flag set to true may have processes that can gain more privileges than their parent.There should be at least one admission control policy defined which does not permit
               containers to allow privilege escalation. The option exists (and is defaulted to true)
               to permit 
setuid binaries to run.If you have need to run containers which use 
setuid binaries or require privilege escalation, this should be defined in a separate policy
               and you should carefully check to ensure that only limited service accounts and users
               are given permission to use that policy.|  | NoteBy default, there are no restrictions on contained process ability to escalate privileges,
                           within the context of the container. | 
Impact
Pods defined with 
spec.allowPrivilegeEscalation: true will not be permitted unless they are run under a specific policy.Audit
List the policies in use for each namespace in the cluster, ensure that each policy
                  disallows the admission of containers which allow privilege escalation.
This command gets all pods across all namespaces, outputs their details in JSON format,
                  and uses jq to parse and filter the output for containers with 
allowPrivilegeEscalation set to true.kubectl get pods --all-namespaces -o json | jq -r '.items[] | 
select(any(.spec.containers[]; 
.securityContext.allowPrivilegeEscalation == true)) | 
"\(.metadata.namespace)/\(.metadata.name)"'
    
OR
kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(any(.spec.containers[]; .securityContext.allowPrivilegeEscalation == true)) | select(.metadata.namespace != "kube-system" and .metadata.namespace != "gatekeeper-system" and .metadata.namespace != "azure-arc" and .metadata.namespace != "azure-extensions-usage-system") | "\(.metadata.name) \(.metadata.namespace)"'
When creating a Pod Security Policy, 
["kube-system", "gatekeeper-system", "azure-arc", "azure-extensions-usage-system"] namespaces are excluded by default.This command uses jq, a command-line JSON processor, to parse the JSON output from
                  
kubectl get pods and filter out pods where any container has the securityContext.privileged flag set to true.|  | NoteYou might need to adjust the command depending on your specific requirements and the
                              structure of your pod specifications. | 
Remediation
Add policies to each namespace in the cluster which has user workloads to restrict
                  the admission of containers with 
.spec.allowPrivilegeEscalation set to true.Pod Security Policies and Assignments can be found by searching for Policies in the
                  Azure Portal.
A detailed step-by-step guide can be found here: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
 
		