Policy allows all capabilities Affecting Pod Security Policy service in Kubernetes

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00636
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The whitelist of allowed capability is set to all.

How to fix?

Remove allowedCapabilities attribute, or set value to [].

Example Configuration

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: demo
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny 
  requiredDropCapabilities:
    - ALL
  allowedCapabilities:
    - []

Terraform

kubernetes_pod_security_policy

References

Security Context for a Pod or Container