lacework-global-784
Minimize the admission of containers with capabilities assigned (Manual)
Description
Do not generally permit containers with capabilities
Remediation
Review the use of capabilities in applications running on the cluster.
Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a policy which forbids the admission of containers which do not drop all capabilities.
References
https://kubernetes.io/docs/concepts/security/pod-security-policy/
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/