Containers with sys admin capabilities
This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 235236ee-ad78-4065-bd29-61b061f28ce0
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: High
Category: Insecure Configurations
Learn More
Description
Containers should not include the CAP_SYS_ADMIN Linux capability. This rule flags any resource where a container or initContainer adds SYS_ADMIN to securityContext.capabilities.add. CAP_SYS_ADMIN grants broad privileges and can enable privilege escalation, so it must not be granted to container processes.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: pod4
spec:
containers:
- name: app
image: images.my-company.example/app:v4
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_ADMIN"]
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: log-aggregator
image: images.my-company.example/log-aggregator:v6
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
