Containers With Sys Admin Capabilities
- Query id: 235236ee-ad78-4065-bd29-61b061f28ce0
- Query name: Containers With Sys Admin Capabilities
- Platform: Kubernetes
- Severity: High
- Category: Insecure Configurations
- CWE: 250
- URL: Github
Description¶
Containers should not have CAP_SYS_ADMIN Linux capability
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod4
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_ADMIN"]
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"