Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check capabilities given against a blacklist of dangerous capabilities (e.g. SYS_ADMIN or NET_ADMIN).
Check and remove all unnecessary capabilities from the POD security context of the containers and use the exception mechanism to remove warnings where these capabilities are necessary.
apiVersion: v1 kind: Pod metadata: name: security-context-demo-4 spec: containers: - name: sec-ctx-4 image: gcr.io/google-samples/node-hello:1.0 securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities and compare them with the configuration of dangerous capabilities
Updated 7 months ago