C-0220 - Minimize the admission of containers with capabilities assigned

Framework

cis-eks-t1.2.0

Severity

Medium

Description of the the issue

Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.

In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized.

Related resources

PodSecurityPolicy

What does this control test

Do not generally permit containers with capabilities

How to check it manually

Get the set of PSPs with the following command:

kubectl get psp

For each PSP, check whether capabilities have been forbidden:

kubectl get psp <name> -o=jsonpath='{.spec.requiredDropCapabilities}'

Remediation

Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.

Impact Statement

Pods with containers require capabilities to operate will not be permitted.

Default Value

By default, PodSecurityPolicies are not defined.

Example

No example