/
Kubernetes Clusters Should Not Grant CAPSYSADMIN Security Capabilities
Kubernetes Clusters Should Not Grant CAPSYSADMIN Security Capabilities
- Former user (Deleted)
Owned by Former user (Deleted)
Aug 17, 2021
1 min read
Analytics
Loading data...
Description:
To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities.
Solution/Reference:
Security Center lists the pods running containers that have the CAP_SYS_ADMIN Linux security capability. To remove a containers' CAP_SYS_ADMIN Linux security capabilities:
1. From the unhealthy resources tab, select the cluster.
2. Insert a capabilities section in the securityContext section of the container manifest with Drop: CAP_SYS_ADMIN.
3. After making your changes, redeploy the pod with the updated capabilities
For more information, see https://aka.ms/kubepolicydoc.
, multiple selections available,
Related content
Privileged Containers Should be Avoided
Privileged Containers Should be Avoided
More like this
Least Privileged Linux Capabilities Should Be Enforced for Containers
Least Privileged Linux Capabilities Should Be Enforced for Containers
More like this
Container With Privilege Escalation Should Be Avoided
Container With Privilege Escalation Should Be Avoided
More like this
Running Containers as Root User Should be Avoided
Running Containers as Root User Should be Avoided
More like this
Pod Security Policies Should be Defined on Kubernetes Services (Deprecated)
Pod Security Policies Should be Defined on Kubernetes Services (Deprecated)
More like this
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
More like this