Skip to main content

☑️ Prevent containers from having insecure capabilities

Capabilities permit certain named root actions without giving full root access. They are a more fine-grained permissions model, and all capabilities should be dropped from a pod, with only those required added back. Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components.

Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? True

Policy as code identifier: CONTAINERS_INVALID_CAPABILITIES_VALUE


This rule will fail

If one or more of the following insecure capabilities are set:

  • SETPCAP
  • NET_ADMIN
  • NET_RAW
  • SYS_MODULE
  • SYS_RAWIO
  • SYS_PTRACE
  • SYS_ADMIN
  • SYS_BOOT
  • MAC_OVERRIDE
  • MAC_ADMIN
  • PERFMON
  • ALL
  • BPF
kind: Pod
spec:
containers:
- securityContext:
capabilities:
add: ["SYS_ADMIN", "PERFMON"]

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from having insecure capabilities [1 occurrence]
💡 Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components

How to fix this failure

Refrain from setting any unnecessary insecure capabilities.

kind: Pod
spec:
containers:
- securityContext:
capabilities:
add: ["SYS_TIME"]

Read more