C-0028 - Dangerous capabilities
Dangerous capabilities
Framework
NSA, ArmoBest
Description of the the issue
Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control tests
Check capabilities given against a blacklist of dangerous capabilities (e.g. SYS_ADMIN or NET_ADMIN).
Remediation
Check and remove all unnecessary capabilities from the POD security context of the containers and use the exception mechanism to remove warnings where these capabilities are necessary.
Example
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities and compare them with the configuration of dangerous capabilities
Updated 7 months ago
Did this page help you?