Containers missing drop capabilities

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 268ca686-7fb7-4ae9-b129-955a2a89064e

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Low

Category: Best Practices

Learn More

Description

Containers and initContainers should configure drop capabilities in their securityContext. The rule requires that each container defines securityContext.capabilities with a drop attribute; missing securityContext, capabilities, or drop is reported. This enforces least-privilege by removing unnecessary Linux capabilities.

Compliant Code Examples

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            drop:
              - all
            add:
              - NET_BIND_SERVICE

Non-Compliant Code Examples

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            add:
              - NET_BIND_SERVICE
      - name: payment2
        image: nginx
        securityContext:
          allowPrivilegeEscalation: false
      - name: payment3
        image: nginx