k8s-securitycontext-capabilities

Minimize the admission of containers with added capability

Linux Capabilities grants the processes running within your container additional superuser level privileges and should only be defined when absolutely necessary. When not absolutely required, it is best to drop all capabilities to ensure that a potentially compromised container can not impact other pods running on the host.

By default, Pods running in Kubernetes will be created with the NET_RAW which could be exploited to launch a variety of network exploits from within your cluster.

Examples

Insecure Example

# pods.yaml
apiVersion: v1
kind: Pod
metadata:
  name: manual-capabilities
spec:
  containers:
    - name: app
      image: registry/image:tag
  securityContext:
    capabilities:
      add: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: v1
kind: Pod
metadata:
  name: default-capabilities
spec:
  containers:
    - name: app
      image: registry/image:tag
  securityContext:
    capabilities:
      add: ["NET_RAW"]  # (default value if undefined)

Secure Example

# pods.yaml
apiVersion: v1
kind: Pod
metadata:
  name: default
spec:
  containers:
    - name: app
      image: registry/image:tag
  securityContext:
    capabilities:
      drop: ["ALL"]

More information

• Docker Runtime Privileges
• Linux Capabilities
• Kubernetes Security Context
• Kubernetes Security Policies