Ensure CAP_SYS_ADMIN Linux capability is not used
Error: CAP_SYS_ADMIN Linux capability is used
Bridgecrew Policy ID: BC_K8S_36
Checkov Check ID: CKV_K8S_39
CAP_SYS_ADMIN Linux capability is used
Capabilities permit certain named root actions without giving full root access and are considered a fine-grained permissions model.
We recommend all capabilities should be dropped from a pod, with only those required added back. There are a large number of capabilities, with CAP_SYS_ADMIN bounding most. CAP_SYS_ADMIN is a highly privileged access level equivalent to root access and should generally be avoided.
Fix - Buildtime
- Resource: Container
- Argument: securityContext:capabilities:add (Optional)
Add capabilities field allows granting certain privileges to a process.
apiVersion: v1 kind: Pod metadata: name: <Pod name> spec: containers: - name: <container name> image: <image> securityContext: capabilities: add: - -SYS_ADMIN
Updated 4 months ago