Pods should not run containers with default capabilities assigned

Description

A default set of Linux capabilities are granted when a container runs and many services do not need these capabilities to function. The recommended strategy is to drop all capabilities and then add back only the required ones, according to the principal of least privilege.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that each container in a Kubernetes.Pod drops ALL capabilities in a securityContext, and adds back only the required ones

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo1
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["ALL"]
        add: ["FOWNER"]