Skip to main content

lacework-global-655

4.2.8 Minimize the execution of container workloads with added capabilities (Automated)

Profile Applicability

• Level 1

Description

Do not generally permit the running of containers with capabilities assigned beyond the default set.

Rationale

Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.

Impact

Pods with containers which require capabilities outside the default set will not be permitted.

Audit

Get the configuration of all pods using the following command:

kubectl get pods -o json

Inspect the JSON output and ensure that, for each pod in .items[], there are no containers which explicitly add capabilities .spec.containers[].securityContext.capabilities.add[].

If jq is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:

kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | length == 0) | {name: .metadata.name}' | jq -s '.'

Remediation

By default, container runtimes ensure some Linux capabilities are not available to a container without being explicitly added.

Ensure pod configurations do not configure the addition of non-default capabilities for any containers. You can achieve this with the absence of capability additions in the container security context configuration or by specifying an empty array of added capabilities.

The following example explicitly configures a pod with an empty array of capability additions:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  containers:
  - name: hello-world
    image: hello-world
    securityContext:
      capabilities:
        add: []

References

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core
https://man7.org/linux/man-pages/man7/capabilities.7.html

Last updated on