Skip to main content

Impact & Risk Analysis

  • Severity: Medium (Level 2 - Defense in Depth)
  • CIS Benchmark: CIS 5.2.9
  • Impact: Reduced Attack Surface. Linux Capabilities break down the “root” privilege into smaller units (like CHOWN, KILL, NET_BIND_SERVICE). Default container runtimes grant a set of default capabilities that are unnecessary for most web applications. If an attacker compromises a container, they can use these capabilities to manipulate files, processes, or network settings. Dropping all capabilities ensures the process has the absolute minimum rights required to run.

Common Misconfiguration

Running containers with the default capability set provided by the container runtime (e.g., Docker default includes CHOWN, DAC_OVERRIDE, FOWNER, MKNOD, NET_RAW, etc.).

Vulnerable Example

# Vulnerable Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: default-caps-pod
spec:
  containers:
  - name: app
    image: nginx
    # VULNERABLE: No securityContext defined.
    # Inherits all default runtime capabilities.

Secure Example

# Secure Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: least-privilege-pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      capabilities:
        # SECURE: Drop ALL default capabilities
        drop:
          - ALL

Audit Procedure

List the policies in use or inspect running pods to ensure that capabilities are explicitly dropped. Check Running Pods: 
# Check if capabilities are dropped
kubectl get pods -A -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.spec.containers[*].securityContext.capabilities.drop}\n{end}'
  • Analyze: Look for ALL.
  • Fail: If the output is empty or does not contain ALL.
Check Policies: Verify if the namespace enforces the restricted Pod Security Standard (which mandates drop: ["ALL"]). 
kubectl get ns --show-labels

Remediation

  1. Update Application Manifests: Modify your Deployment YAMLs to explicitly drop all capabilities.
  2. Enforce Policy: Apply the restricted Pod Security Standard to your namespaces.
# Enforce the restricted policy (requires drop: ["ALL"])
kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=restricted
Note: If an application genuinely needs a specific capability (e.g., NET_BIND_SERVICE to bind to port 80), you should drop ALL first and then explicitly add back only that single capability.