- [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
    - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
  - [Changes by Kind](#changes-by-kind)
    - [Feature](#feature)

	// Enables privileged securityContext for the istio-proxy container.
	//
	// See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
	Privileged *wrapperspb.BoolValue `protobuf:"bytes,19,opt,name=privileged,proto3" json:"privileged,omitempty"`
	// Sets the initial delay for readiness probes in seconds.

- kube-dns add-on:
  - All containers are now being executed under more restrictive privileges.
  - Most of the containers now run as non-root user and has the root filesystem set as read-only.
  - The remaining container running as root only has the minimum Linux capabilities it requires to run.

				"--allow-privileged=true",
			},
			expected: []kubeadmapi.Arg{
				{Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"},
				{Name: "allow-privileged", Value: "true"},
			},
		},
		{
			name: "test that feature-gates is working",
			args: []string{
				"--admission-control=NamespaceLifecycle,LimitRanger",
				"--allow-privileged=true",

## Privileges required

func TestContainerSecurityContextAccessor(t *testing.T) {
	privileged := true
	runAsUser := int64(1)
	runAsGroup := int64(1)
	runAsNonRoot := true
	readOnlyRootFilesystem := true
	allowPrivilegeEscalation := true

	testcases := []*api.SecurityContext{
		nil,
		{},
		{Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}}},
		{Privileged: &privileged},
		{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},

)

// Check validates if a user has elevated (administrator) privileges.
func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) {
	hProcessToken := windows.GetCurrentProcessToken()
	if hProcessToken.IsElevated() {
		return nil, nil
	}
	return nil, []error{errors.New("the kubeadm process must be run by a user with elevated privileges")}
}

// Check number of memory required by kubeadm
// No-op for Windows.

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext {
	priv := false
	defProcMount := v1.DefaultProcMount
	return &v1.SecurityContext{
		Capabilities: &v1.Capabilities{},
		Privileged:   &priv,
		ProcMount:    &defProcMount,
	}
}

// ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on
// empty container defaults.  Used for testing.

	w.containerSC.Capabilities = v
}
func (w *containerSecurityContextWrapper) Privileged() *bool {
	if w.containerSC == nil {
		return nil
	}
	return w.containerSC.Privileged
}
func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
	if w.containerSC == nil && v == nil {
		return
	}
	w.ensureContainerSC()
	w.containerSC.Privileged = v
}

      value: "{{ $value }}"
    {{- end }}
  {{- end }}
    resources:
  {{ template "resources" . }}
    securityContext:
      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
      privileged: {{ .Values.global.proxy.privileged }}
      capabilities:
    {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
        add:
        - NET_ADMIN
        - NET_RAW
    {{- end }}
        drop: