C-0046 - Insecure capabilities
Framework
AllControls, ArmoBest, NSA, WorkloadScan, security
Severity
High
Description of the the issue
Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html).
Remediation
Remove all insecure capabilities which are not necessary for the container.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Insecure capabilities
insecureCapabilities
You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system.
Example
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities against the configured list in the control settings (settings-> control -> c46)
Updated 15 days ago