--- title: No drop capabilities for containers description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > No drop capabilities for containers --- # No drop capabilities for containers {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-kubernetes-no-drop-capabilities-for-containers` **Provider:** Kubernetes **Platform:** Terraform **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop) ### Description{% #description %} Checks whether the Kubernetes 'capabilities.drop' setting is present to ensure container security context. The rule verifies that each container and init_container defines 'security_context', that 'capabilities' exists, and that 'capabilities.drop' is set. Missing or undefined attributes are reported as missing or incorrect values. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "kubernetes_pod" "negative4" { metadata { name = "terraform-example" } spec { container = [ { image = "nginx:1.7.9" name = "example" security_context = { capabilities = { drop = ["ALL"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } }, { image = "nginx:1.7.9" name = "example2" security_context = { capabilities = { drop = ["ALL"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } ] dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "kubernetes_pod" "test1" { metadata { name = "terraform-example" } spec { container = [ { image = "nginx:1.7.9" name = "example" security_context = { capabilities = { add = ["NET_BIND_SERVICE"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } }, { image = "nginx:1.7.9" name = "example2" security_context = { capabilities = { drop = ["ALL"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } ] dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } ``` ```terraform resource "kubernetes_pod" "test2" { metadata { name = "terraform-example" } spec { container = [ { image = "nginx:1.7.9" name = "example" security_context = { allow_privilege_escalation = false } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } }, { image = "nginx:1.7.9" name = "example2" security_context = { capabilities = { drop = ["ALL"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } ] dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } ``` ```terraform resource "kubernetes_pod" "test3" { metadata { name = "terraform-example" } spec { container = [ { image = "nginx:1.7.9" name = "example" env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } }, { image = "nginx:1.7.9" name = "example2" security_context = { capabilities = { drop = ["ALL"] } } env = { name = "environment" value = "test" } port = { container_port = 8080 } liveness_probe = { http_get = { path = "/nginx_status" port = 80 http_header = { name = "X-Custom-Header" value = "Awesome" } } initial_delay_seconds = 3 period_seconds = 3 } } ] dns_config { nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] searches = ["example.com"] option { name = "ndots" value = 1 } option { name = "use-vc" } } dns_policy = "None" } } ```