Ensure admission of containers with added capability is minimized

Error: Admission of containers with added capability is not minimized

Bridgecrew Policy ID: BC_K8S_24
Checkov Check ID: CKV_K8S_25
Severity: LOW

Admission of containers with added capability is not minimized

Description

Containers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers. Ideally, all containers should drop this capability.


Did this page help you?