Ensure that Containers are not running with insecure capabilities

Ensure not running containers with insecure capabilities.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.45
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod where ((not name regexMatch /cp-resource-management/) and (not name regexMatch /flow-logs/) and (namespace != 'kube-system')) should not have spec.containers.securityContext.capabilities.add contain [ 'CHOWN' ] or spec.containers.securityContext.capabilities.add contain [ 'DAC_OVERRIDE' ] or spec.containers.securityContext.capabilities.add contain [ 'FSETID' ] or spec.containers.securityContext.capabilities.add contain [ 'FOWNER' ] or spec.containers.securityContext.capabilities.add contain [ 'SETGID' ] or spec.containers.securityContext.capabilities.add contain [ 'MKNOD' ] or spec.containers.securityContext.capabilities.add contain [ 'NET_RAW' ] or spec.containers.securityContext.capabilities.add contain [ 'SETUID' ] or spec.containers.securityContext.capabilities.add contain [ 'NET_BIND_SERVICE' ] or spec.containers.securityContext.capabilities.add contain [ 'SETFCAP' ] or spec.containers.securityContext.capabilities.add contain [ 'SETPCAP' ] or spec.containers.securityContext.capabilities.add contain [ 'SYS_CHROOT' ] or spec.containers.securityContext.capabilities.add contain [ 'KILL' ] or spec.containers.securityContext.capabilities.add contain [ 'AUDIT_WRITE' ] or spec.containers.securityContext.capabilities.add contain [ 'FSETID' ] or spec.initContainers.securityContext.capabilities.add contain [ 'CHOWN' ] or spec.initContainers.securityContext.capabilities.add contain [ 'DAC_OVERRIDE' ] or spec.initContainers.securityContext.capabilities.add contain [ 'FSETID' ] or spec.initContainers.securityContext.capabilities.add contain [ 'FOWNER' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SETGID' ] or spec.initContainers.securityContext.capabilities.add contain [ 'MKNOD' ] or spec.initContainers.securityContext.capabilities.add contain [ 'NET_RAW' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SETUID' ] or spec.initContainers.securityContext.capabilities.add contain [ 'NET_BIND_SERVICE' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SETFCAP' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SETPCAP' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SYS_CHROOT' ] or spec.initContainers.securityContext.capabilities.add contain [ 'KILL' ] or spec.initContainers.securityContext.capabilities.add contain [ 'AUDIT_WRITE' ] or spec.initContainers.securityContext.capabilities.add contain [ 'FSETID' ]

REMEDIATION

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include CHOWN, DAC_OVERRIDE, FSETID, FOWNER, SETGID, MKNOD, NET_RAW, SETUID, NET_BIND_SERVICE, SETFCAP, SETPCAP, SYS_CHROOT, KILL, AUDIT_WRITE, FSETID or ALL.

References

  1. https://kubernetes.io/docs/concepts/policy/pod-security-policy
  2. https://man7.org/linux/man-pages/man7/capabilities.7.html

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Kubernetes v.1.14 CloudGuard Best Practices