Minimize the admission of containers with capabilities assigned
Set up the kubernetes integration.
Description
Do not generally permit containers with capabilities.
Rationale
Containers run with a default set of capabilities as assigned by the container runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user. In many cases, applications running in containers do not require any capabilities to operate. From the perspective of the principal of least privilege, use of capabilities should be minimized.
Audit
Get the set of PSPs with the following command: kubectl get psp
For each PSP, check whether capabilities have been forbidden: kubectl get psp <name> -o=jsonpath='{.spec.requiredDropCapabilities}'
Review the use of capabilites in applications runnning on your cluster. Where a namespace contains applications that do not require any Linux capabities to operate, consider adding a PSP that forbids the admission of containers that do not drop all capabilities.
Impact
Pods with containers that require capabilities to operate will not be permitted.
Default value
By default, PodSecurityPolicies are not defined.
References
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies
- https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/
CIS controls
Version 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
