C-0028 - Dangerous capabilities

Dangerous capabilities

Framework

NSA, ArmoBest

Description of the the issue

Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control tests

Check capabilities given against a blacklist of dangerous capabilities (e.g. SYS_ADMIN or NET_ADMIN).

Remediation

Check and remove all unnecessary capabilities from the POD security context of the containers and use the exception mechanism to remove warnings where these capabilities are necessary.

Example

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities and compare them with the configuration of dangerous capabilities 

Did this page help you?