Capabilities permit certain named root actions without giving full root access and are considered a fine-grained permissions model.
We recommend all capabilities should be dropped from a pod, with only those required added back. There are a large number of capabilities, with CAP_SYS_ADMIN bounding most. CAP_SYS_ADMIN is a highly privileged access level equivalent to root access and should generally be avoided.
- Resource: Container
- Argument: securityContext:capabilities:add (Optional)
Add capabilities field allows granting certain privileges to a process.
apiVersion: v1 kind: Pod metadata: name: <Pod name> spec: containers: - name: <container name> image: <image> securityContext: capabilities: add: - -SYS_ADMIN
Updated 10 months ago