Capabilities permit certain named root actions without giving full root access. They are a more fine-grained permissions model, and all capabilities should be dropped from a pod, with only those required added back. Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components.
Targeted objects by this rule (types of
kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: medium (What does this mean?)
Policy as code identifier: CONTAINERS_INVALID_CAPABILITIES_VALUE
This rule will fail
If one or more of the following insecure capabilities are set:
add: ["SYS_ADMIN", "PERFMON"]
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent containers from having insecure capabilities [1 occurrence]
💡 Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components
How to fix this failure
Refrain from setting any unnecessary insecure capabilities.