--- title: Containers with added capabilities description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Containers with added capabilities --- # Containers with added capabilities {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `19ebaa28-fc86-4a58-bcfa-015c9e22fe40` **Cloud Provider:** Kubernetes **Platform:** Kubernetes **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) ### Description{% #description %} Containers and initContainers should not include added capabilities other than NET_BIND_SERVICE. The rule checks container.securityContext.capabilities.add and reports an IncorrectValue when any capability other than NET_BIND_SERVICE is present. It applies to both containers and initContainers found in the pod spec. ## Compliant Code Examples{% #compliant-code-examples %} ```yaml apiVersion: v1 kind: Pod metadata: name: pod1 spec: containers: - name: app image: images.my-company.example/app:v4 securityContext: allowPrivilegeEscalation: false resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" - name: log-aggregator image: images.my-company.example/log-aggregator:v6 securityContext: allowPrivilegeEscalation: false resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" ``` ```yaml apiVersion: v1 kind: Pod metadata: name: pod4 spec: containers: - name: app image: images.my-company.example/app:v4 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL add: - NET_BIND_SERVICE resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" - name: log-aggregator image: images.my-company.example/log-aggregator:v6 securityContext: allowPrivilegeEscalation: false resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml apiVersion: v1 kind: Pod metadata: name: pod2 spec: containers: - name: app image: images.my-company.example/app:v4 securityContext: allowPrivilegeEscalation: false capabilities: add: ["NET_ADMIN", "SYS_TIME"] resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" - name: log-aggregator image: images.my-company.example/log-aggregator:v6 securityContext: allowPrivilegeEscalation: false resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" --- apiVersion: v1 kind: Pod metadata: name: pod3 spec: initContainers: - name: app image: images.my-company.example/app:v4 securityContext: allowPrivilegeEscalation: false capabilities: add: ["NET_ADMIN", "SYS_TIME"] resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" - name: log-aggregator image: images.my-company.example/log-aggregator:v6 securityContext: allowPrivilegeEscalation: false resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" containers: - name: app image: images.my-company.example/app:v4 ```