Disallow Capabilities Strict

Description

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. This is Linux only policy in v1.25+ (.spec.os.name != "windows")

For securityContext.capabilities.drop: Restricted Fields

  • spec.containers[*].securityContext.capabilities.drop
  • spec.initContainers[*].securityContext.capabilities.drop
  • spec.ephemeralContainers[*].securityContext.capabilities.drop

Allowed Values

  • Any list of capabilities that includes ALL

For securityContext.capabilities.add: Restricted Fields

  • spec.containers[*].securityContext.capabilities.add
  • spec.initContainers[*].securityContext.capabilities.add
  • spec.ephemeralContainers[*].securityContext.capabilities.add

Allowed Values

  • Undefined/nil
  • NET_BIND_SERVICE

Risks

This policy to restrict container capabilities is designed to enhance security by limiting the actions that containers can perform. Without this policy, containers might have access to system capabilities that could be misused. The following are some key risks associated with not enforcing this policy:

  • Privilege Escalation: Allowing containers to gain unnecessary capabilities can lead to privilege escalation. For instance, if a container is granted capabilities like SYS_MODULE, it might load malicious kernel modules or alter kernel behavior.

  • Service Disruption: Capabilities like SYS_BOOT allow processes to initiate a system reboot. If containers are not restricted from using such capabilities, attackers could cause service interruptions or system downtime.

  • Performance Degradation: Capabilities such as SYS_NICE enable processes to adjust priorities and scheduling policies. Unrestricted use of this capability could lead to an issue where an attacker might prioritize their processes over critical system tasks.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-capabilities-strict.yaml

References

Configuration Settings

The below configuration indicates that in an resource, if securityContext.capabilities.drop is present, ALL should be part of that.

securityContext:
  capabilities:
    drop:
    - ALL

The below configuration indicates that in an resource, if securityContext.capabilities.add is present, the only acceptable value is NET_BIND_SERVICE. Any other value leads to non-conformance with this security control. If securityContext.capabilities.add is not present at all, then the resource is conformant by default.

securityContext:
  capabilities:
    add:
    - NET_BIND_SERVICE

Resource Example

Below is a Deployment resource example where securityContext.capabilities.drop is set to ALL.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          capabilities:
            drop:
            - ALL

Below is a Deployment resource example where securityContext.capabilities.add is set to NET_BIND_SERVICE for both the containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: addcap-gooddeployment05
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
      - name: container02
        image: dummyimagename
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE