Not Limited Capabilities For Container
- Query id: 2f1a0619-b12b-48a0-825f-993bb6f01d58
- Query name: Not Limited Capabilities For Container
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Limit the capabilities for a Container.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
drop: ["NET_ADMIN", "SYS_TIME"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dropCapabilitiesTest
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: payment
image: nginx
securityContext:
capabilities:
drop:
- NET_ADMIN
add:
- NET_BIND_SERVICE