C-0046 - Insecure capabilities
Framework
WorkloadScan, security, ArmoBest, NSA, AllControls
Severity
High
Description of the the issue
Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html).
Remediation
Remove all insecure capabilities which are not necessary for the container.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Insecure capabilities
insecureCapabilities
Kubescape looks for these capabilities in containers, which might lead to attackers getting elevated privileges in your cluster. You can see the full list of possible capabilities at https://man7.org/linux/man-pages/man7/capabilities.7.html.
Example
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities against the configured list in the control settings (settings-> control -> c46)
Updated 11 days ago