All Capabilities Should Be Dropped

Ensure that all capabilities are dropped.

Policy Details

Policy Subtype
Build
Severity
High
Template Type
Kubernetes

Build Rules

All capabilities should be dropped.
JSON Query:
$.spec.template.spec.containers[*].securityContext.capabilities.drop exists and not $.spec.templates.spec.containers[*].securityContext.capabilities.drop[*] contains ALL
Recommendation:
Recommended solution for making sure all capabilities are dropped in a Security Context.
It is recommended that all capabilities are dropped in a Security Context. Please make sure "capabilities" has "drop" set to "ALL".
For example:
"spec": { "containers": [ { "image": "mateobur/flask", "name": "flask-cap", "securityContext": { "capabilities": { "drop": [ "ALL" ] } } } ] }

Recommended For You