Disallow Capabilities
Description
Adding additional capabilities beyond those listed below must be disallowed.
Restricted Fields
- spec.containers[*].securityContext.capabilities.add
- spec.initContainers[*].securityContext.capabilities.add
- spec.ephemeralContainers[*].securityContext.capabilities.add
Allowed Values
- Undefined/nil
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
Kyverno Policy
Refer to the Nirmata curated policies - disallow-capabilities.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.capabilities.add[] field is present, only the values from the prescribed list make the resource to be conformant with this security control. If the securityContext.capabilities.add[] field is not present, then the resource is conformant by default.
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
Resource Example
Below is a Deployment resource example where securityContext.capabilities.add for both containers is from the allowed list of capabilities.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
capabilities:
add:
- DAC_OVERRIDE
- name: container02
image: dummyimagename
securityContext:
capabilities:
add:
- SETGID