Ensure CAP_SYS_ADMIN Linux capability is not used

Error: CAP_SYS_ADMIN Linux capability is used

Bridgecrew Policy ID: BC_K8S_36
Checkov Check ID: CKV_K8S_39
Severity: HIGH

CAP_SYS_ADMIN Linux capability is used

Description

Capabilities permit certain named root actions without giving full root access and are considered a fine-grained permissions model.

We recommend all capabilities should be dropped from a pod, with only those required added back. There are a large number of capabilities, with CAP_SYS_ADMIN bounding most. CAP_SYS_ADMIN is a highly privileged access level equivalent to root access and should generally be avoided.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: securityContext:capabilities:add (Optional)
    Add capabilities field allows granting certain privileges to a process.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
		capabilities:
      		add:
-        		-SYS_ADMIN