Pods should not run containers with default capabilities assigned¶
A default set of Linux capabilities are granted when a container runs and many services do not need these capabilities to function. The recommended strategy is to drop all capabilities and then add back only the required ones, according to the principal of least privilege.
Kubernetes Manifest (YAML)¶
Ensure that each container in a Kubernetes.Pod drops
ALLcapabilities in a
securityContext, and adds back only the required ones
apiVersion: v1 kind: Pod metadata: name: sec-demo1 spec: containers: - name: sec-demo-container image: gcr.io/google-samples/node-hello:1.0 securityContext: capabilities: drop: ["ALL"] add: ["FOWNER"]