No Drop Capabilities for Containers
- Query id: 268ca686-7fb7-4ae9-b129-955a2a89064e
- Query name: No Drop Capabilities for Containers
- Platform: Kubernetes
- Severity: Low
- Category: Best Practices
- CWE: 754
- URL: Github
Description¶
Sees if Kubernetes Drop Capabilities exists to ensure containers security context
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: payment
image: nginx
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: payment2
image: nginx
securityContext:
allowPrivilegeEscalation: false
- name: payment3
image: nginx
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: payment
image: nginx
securityContext:
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE