Not Limited Capabilities For Container

  • Query id: 2f1a0619-b12b-48a0-825f-993bb6f01d58
  • Query name: Not Limited Capabilities For Container
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Limit the capabilities for a Container.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dropCapabilitiesTest
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            drop:
              - NET_ADMIN
            add:
              - NET_BIND_SERVICE

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["ALL"]