C-0046 - Insecure capabilities

Framework

AllControls, ArmoBest, NSA, WorkloadScan, security

Severity

High

Description of the the issue

Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html).

Remediation

Remove all insecure capabilities which are not necessary for the container.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Insecure capabilities

insecureCapabilities
You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system.

Example

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities against the configured list in the control settings (settings-> control -> c46)