--- title: "Disallow Capabilities Strict" url: https://docs.nirmata.io/docs/policy-sets/podsecurity/restricted/disallow-capabilities-strict/ --- ### Description Containers must drop `ALL` capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability. [This is Linux only policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/#os-specific-policy-controls) in v1.25+ (`.spec.os.name != "windows"`) For `securityContext.capabilities.drop`: **Restricted Fields** * spec.containers[*].securityContext.capabilities.drop * spec.initContainers[*].securityContext.capabilities.drop * spec.ephemeralContainers[*].securityContext.capabilities.drop **Allowed Values** * Any list of capabilities that includes ALL For `securityContext.capabilities.add`: **Restricted Fields** * spec.containers[*].securityContext.capabilities.add * spec.initContainers[*].securityContext.capabilities.add * spec.ephemeralContainers[*].securityContext.capabilities.add **Allowed Values** * Undefined/nil * NET_BIND_SERVICE ### Risks This policy to restrict container capabilities is designed to enhance security by limiting the actions that containers can perform. Without this policy, containers might have access to system capabilities that could be misused. The following are some key risks associated with not enforcing this policy: * `Privilege Escalation`: Allowing containers to gain unnecessary capabilities can lead to privilege escalation. For instance, if a container is granted capabilities like `SYS_MODULE`, it might load malicious kernel modules or alter kernel behavior. * `Service Disruption`: Capabilities like `SYS_BOOT` allow processes to initiate a system reboot. If containers are not restricted from using such capabilities, attackers could cause service interruptions or system downtime. * `Performance Degradation`: Capabilities such as `SYS_NICE` enable processes to adjust priorities and scheduling policies. Unrestricted use of this capability could lead to an issue where an attacker might prioritize their processes over critical system tasks. ### Kyverno Policy Refer to the Nirmata curated policies - [disallow-capabilities-strict.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml) ### References #### Configuration Settings The below configuration indicates that in an resource, if `securityContext.capabilities.drop` is present, `ALL` **should** be part of that. ```bash securityContext: capabilities: drop: - ALL ``` The below configuration indicates that in an resource, if `securityContext.capabilities.add` is present, the only acceptable value is `NET_BIND_SERVICE`. Any other value leads to non-conformance with this security control. If `securityContext.capabilities.add` is not present at all, then the resource is conformant by default. ```bash securityContext: capabilities: add: - NET_BIND_SERVICE ``` #### Resource Example Below is a `Deployment` resource example where `securityContext.capabilities.drop` is set to `ALL`. ```bash apiVersion: apps/v1 kind: Deployment metadata: name: gooddeployment spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: containers: - name: container01 image: dummyimagename securityContext: capabilities: drop: - ALL ``` Below is a `Deployment` resource example where `securityContext.capabilities.add` is set to `NET_BIND_SERVICE` for both the containers. ```bash apiVersion: apps/v1 kind: Deployment metadata: name: addcap-gooddeployment05 spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: containers: - name: container01 image: dummyimagename securityContext: capabilities: add: - NET_BIND_SERVICE - name: container02 image: dummyimagename securityContext: capabilities: add: - NET_BIND_SERVICE ```text