Skip to main content


4.2.8 Minimize the execution of container workloads with added capabilities (Automated)

Profile Applicability

• Level 1


Do not generally permit containers to be run with capabilities assigned beyond the default set.


Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.


Pods with containers which require capabilities outside the default set will not be permitted.


Get the configuration of all pods using the following command:

kubectl get pods -o json

Inspect the JSON output and ensure that, for each pod in .items[], there are no containers which explicitly add capabilities .spec.containers[].securityContext.capabilities.add[].

If jq is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:

kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | length == 0) | {name:}' | jq -s '.'


By default, container runtimes ensure some Linux capabilities are not available to a container without being explicitly added.

Ensure pod configurations do not configure the addition of non-default capabilities for any containers. This can be achieved by the absence of capability additions in the container security context configuration or by specifying an empty array of added capabilities.

The following example explicitly configures a pod with an empty array of capability additions:

apiVersion: v1
kind: Pod
name: my-pod
- name: hello-world
image: hello-world
add: []