C-0046 - Insecure capabilities

Framework

AllControls, ArmoBest, security, WorkloadScan, NSA

Severity

High

Description of the the issue

Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.Note, this control is configurable. See below the details.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html).

Remediation

Remove all insecure capabilities which are not necessary for the container.

Configuration

This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.

Insecure capabilities

insecureCapabilities
Kubescape looks for these capabilities in containers, which might lead to attackers getting elevated privileges in your cluster. You can see the full list of possible capabilities at https://man7.org/linux/man-pages/man7/capabilities.7.html.

Example

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"] # we look at these capabilities against the configured list in the control settings (settings-> control -> c46)