Pods should not run containers with added capabilities¶
Description¶
Adding capabilities beyond the default set increases the risk of container breakout attacks. In most cases, applications are able to operate normally with all Linux capabilities dropped, or with the default set of capabilities.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that each container in a Kubernetes.Pod does not add capabilities beyond the default set in a
securityContext
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: sec-demo1
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
drop: ["NET_RAW"]
apiVersion: v1
kind: Pod
metadata:
name: sec-demo2
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0