☑️ Ensure containers have limited capabilities
Linux kernel capabilities are a set of privileges. Docker, by default, runs with only a subset of capabilities. You can change it and drop some capabilities (using --cap-drop) to harden your docker containers, or add some capabilities (using --cap-add) if needed.
Note
Remember not to run containers with the --privileged flag - this will add ALL Linux kernel capabilities to the container.
The following capabilities are considered safe, any others should be avoided:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: medium (What does this mean?)
Policy as code identifier: EKS_INVALID_CAPABILITIES_EKS
This rule will fail
If a container has an unsafe capability:
securityContext:
capabilities:
add:
- SYS_ADMIN
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Ensure containers have limited capabilities [1 occurrence]
💡 Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components
How to fix this failure
securityContext:
capabilities:
add:
- AUDIT_WRITE