Skip to main content

lacework-global-784

Minimize the admission of containers with capabilities assigned (Manual)

Description

Do not generally permit containers with capabilities

Remediation

Review the use of capabilities in applications running on the cluster.

Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a policy which forbids the admission of containers which do not drop all capabilities.

References

https://kubernetes.io/docs/concepts/security/pod-security-policy/
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/

Last updated on