> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Minimize Admission of Containers with Capabilities Assigned (CIS 5.2.9)

> Enforce least privilege by dropping all Linux capabilities from containers

## Impact & Risk Analysis

* **Severity:** Medium (Level 2 - Defense in Depth)
* **CIS Benchmark:** CIS 5.2.9
* **Impact:** **Reduced Attack Surface.** Linux Capabilities break down the "root" privilege into smaller units (like `CHOWN`, `KILL`, `NET_BIND_SERVICE`). Default container runtimes grant a set of default capabilities that are unnecessary for most web applications. If an attacker compromises a container, they can use these capabilities to manipulate files, processes, or network settings. Dropping *all* capabilities ensures the process has the absolute minimum rights required to run.

## Common Misconfiguration

Running containers with the default capability set provided by the container runtime (e.g., Docker default includes `CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `MKNOD`, `NET_RAW`, etc.).

## Vulnerable Example

```yaml theme={null}
# Vulnerable Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: default-caps-pod
spec:
  containers:
  - name: app
    image: nginx
    # VULNERABLE: No securityContext defined.
    # Inherits all default runtime capabilities.

```

## Secure Example

```yaml theme={null}
# Secure Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: least-privilege-pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      capabilities:
        # SECURE: Drop ALL default capabilities
        drop:
          - ALL

```

## Audit Procedure

List the policies in use or inspect running pods to ensure that capabilities are explicitly dropped.

**Check Running Pods:**

```bash theme={null}
# Check if capabilities are dropped
kubectl get pods -A -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.spec.containers[*].securityContext.capabilities.drop}\n{end}'

```

* **Analyze:** Look for `ALL`.
* **Fail:** If the output is empty or does not contain `ALL`.

**Check Policies:**
Verify if the namespace enforces the **restricted** Pod Security Standard (which mandates `drop: ["ALL"]`).

```bash theme={null}
kubectl get ns --show-labels

```

## Remediation

1. **Update Application Manifests:** Modify your Deployment YAMLs to explicitly drop all capabilities.
2. **Enforce Policy:** Apply the **restricted** Pod Security Standard to your namespaces.

```bash theme={null}
# Enforce the restricted policy (requires drop: ["ALL"])
kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=restricted

```

**Note:** If an application genuinely needs a specific capability (e.g., `NET_BIND_SERVICE` to bind to port 80), you should drop `ALL` first and then explicitly add back only that single capability.
