No Drop Capabilities for Containers

  • Query id: 268ca686-7fb7-4ae9-b129-955a2a89064e
  • Query name: No Drop Capabilities for Containers
  • Platform: Kubernetes
  • Severity: Low
  • Category: Best Practices
  • CWE: 754
  • URL: Github

Description

Sees if Kubernetes Drop Capabilities exists to ensure containers security context
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            add:
              - NET_BIND_SERVICE
      - name: payment2
        image: nginx
        securityContext:
          allowPrivilegeEscalation: false
      - name: payment3
        image: nginx

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            drop:
              - all
            add:
              - NET_BIND_SERVICE