Back to all scenarios
Scenario #282
Security
Kubernetes v1.23, GitLab CI on EKS

GitLab Runners Spawning Privileged Containers

GitLab runners were configured to run privileged containers to support Docker-in-Docker (DinD), leading to a high-risk setup.

Find this helpful?
What Happened

A developer pipeline was hijacked and used to build malicious images, which had access to the underlying node due to privileged mode.

Diagnosis Steps
  • 1Detected unusual image pushes to private registry.
  • 2Reviewed runner configuration – found privileged: true enabled.
  • 3Audited node access logs.
Root Cause

Runners configured with elevated privileges for convenience.

Fix/Workaround
• Disabled DinD and used Kaniko for builds.
• Set runner securityContext to avoid privilege escalation.
Lessons Learned

Privileged mode should be a last resort.

How to Avoid
  • 1Avoid using DinD where possible.
  • 2Use rootless build tools like Kaniko or Buildah.
Previous ScenarioNext Scenario