Pods should not run containers with added capabilities

Description

Adding capabilities beyond the default set increases the risk of container breakout attacks. In most cases, applications are able to operate normally with all Linux capabilities dropped, or with the default set of capabilities.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that each container in a Kubernetes.Pod does not add capabilities beyond the default set in a securityContext

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo1
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["NET_RAW"]
apiVersion: v1
kind: Pod
metadata:
  name: sec-demo2
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0