Do Not Run Containers With Dangerous Capabilities

Ensure not running containers with dangerous capabilities.

Policy Details

Policy Subtype
Build
Severity
Medium
Template Type
Kubernetes

Build Rules

Do not run containers with dangerous capabilities.
JSON Query:
$.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE)
Recommendation:
Recommended solution to not run containers with dangerous capabilities.
It is recommended to not run containers with dangerous capabilities. Please make sure "capabilities" does not have FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE as its members.
For example:
"securityContext": { "capabilities": { "add": [ "SYS_NICE" ], "drop": [ "KILL" ] } }

Recommended For You