Unrestricted Capabilities

A container in a pod by default runs with a number of unnecessary capabilities. This unnecessary privilege increases the cluster attack surface.

Remediation

Carefully review the following default container capabilities and remove unnecessary ones.

[source]

"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
Source: https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19

An example of dropping all capabilities on a container

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: app
          securityContext:
            capabilities:
              drop:
                - ALL

Metadata

Severity: low
Slug: unrestricted-capabilities

CWEs

272: Least Privilege Violation
269: Improper Privilege Management

OWASP

A04:2021: Insecure Design
A05:2021: Security Misconfiguration

Available Labs

Open Kubernetes labs in SecDim Play for this vulnerability.

easy

Capabilities.k8s

Other Easy Kubernetes Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.