Do not admit containers with SYS_ADMIN capability

SYS_ADMIN gives the container many privileges, and should be avoided.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.AC.09
Covered by Spectral: No
Category: Compute


KubernetesPod should not have spec.containers contain-any [ 'SYS_ADMIN' in(securityContext.capabilities.add) ] or spec.initContainers contain-any [ 'SYS_ADMIN' in(securityContext.capabilities.add) ]



Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Container Admission Control
  • Container Admission Control 1.0