Skip to content

Admission of containers with capabilities assigned is not minimised

Description

Docker has a default list of capabilities that are allowed for each container of a pod. The containers use the capabilities from this default list, but pod manifest authors can alter it by requesting additional capabilities, or dropping some of the default capabilities.

Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range. This helps ensure that if a container becomes compromised it is unable to provide a productive path for an attacker to move laterally to other containers in the pod.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: securityContext:capabilities:drop (Optional)
    Capabilites field allows granting certain privileges to a process without granting all the privileges of the root user. when drop includes ALL, all of the root privileges are disabled for that container.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
      capabilities:
        drop:
+         -ALL