Container does not drop all default capabilities Affecting Deployment service in Kubernetes

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-ControlsCSA-CCM

Snyk IDSNYK-CC-K8S-6
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Containers are running with potentially unnecessary privileges

How to fix?

Add ALL to securityContext.capabilities.drop list, and add only required capabilities in securityContext.capabilities.add

Add ALL to spec.container.security_context.capabilities.drop list, and add only required capabilities to spec.container.security_context.capabilities.add, ensuring it also does not contain ALL

References

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/

Container does not drop all default capabilities Affecting Deployment service in Kubernetes

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?

References