k8s-securitycontext-capabilities¶
Minimize the admission of containers with added capability
Linux Capabilities grants the processes running within your container additional superuser level privileges and should only be defined when absolutely necessary. When not absolutely required, it is best to drop all capabilities to ensure that a potentially compromised container can not impact other pods running on the host.
By default, Pods running in Kubernetes will be created with the NET_RAW
which could be exploited to launch a variety of network exploits from within your cluster.
Examples¶
Insecure Example
# pods.yaml
apiVersion: v1
kind: Pod
metadata:
name: manual-capabilities
spec:
containers:
- name: app
image: registry/image:tag
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: v1
kind: Pod
metadata:
name: default-capabilities
spec:
containers:
- name: app
image: registry/image:tag
securityContext:
capabilities:
add: ["NET_RAW"] # (default value if undefined)
Secure Example
# pods.yaml
apiVersion: v1
kind: Pod
metadata:
name: default
spec:
containers:
- name: app
image: registry/image:tag
securityContext:
capabilities:
drop: ["ALL"]