C-0201 - Minimize the admission of containers with capabilities assigned
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0
Severity
Medium
Description of the the issue
Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.
In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized.
Related resources
MutatingWebhookConfiguration, Namespace, ValidatingWebhookConfiguration
What does this control test
Do not generally permit containers with capabilities
How to check it manually
List the policies in use for each namespace in the cluster, ensure that at least one policy requires that capabilities are dropped by all containers.
Remediation
Review the use of capabilites in applications runnning on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a policy which forbids the admission of containers which do not drop all capabilities.
Impact Statement
Pods with containers require capabilities to operate will not be permitted.
Default Value
By default, there are no restrictions on the creation of containers with additional capabilities
Example
No example
Updated 11 days ago