C-0046 - Insecure capabilities
ArmoBest, NSA, AllControls
Description of the the issue
Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.Note, this control is configurable. See below the details.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html).
Remove all insecure capabilities which are not necessary for the container.
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system.
apiVersion: v1 kind: Pod metadata: name: security-context-demo-4 spec: containers: - name: sec-ctx-4 image: gcr.io/google-samples/node-hello:1.0 securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities against the configured list in the control settings (settings-> control -> c46)
Updated 2 days ago