lacework-global-655
4.2.8 Minimize the execution of container workloads with added capabilities (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit containers to be run with capabilities assigned beyond the default set.
Rationale
Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.
Impact
Pods with containers which require capabilities outside the default set will not be permitted.
Audit
Get the configuration of all pods using the following command:
kubectl get pods -o json
Inspect the JSON output and ensure that, for each pod in .items[]
, there are no containers which explicitly add capabilities .spec.containers[].securityContext.capabilities.add[]
.
If jq
is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:
kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | length == 0) | {name: .metadata.name}' | jq -s '.'
Remediation
By default, container runtimes ensure some Linux capabilities are not available to a container without being explicitly added.
Ensure pod configurations do not configure the addition of non-default capabilities for any containers. This can be achieved by the absence of capability additions in the container security context configuration or by specifying an empty array of added capabilities.
The following example explicitly configures a pod with an empty array of capability additions:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
capabilities:
add: []
References
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core https://man7.org/linux/man-pages/man7/capabilities.7.html