Disallow Capabilities Strict

Description

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. This is Linux only policy in v1.25+ (.spec.os.name != "windows")

For securityContext.capabilities.drop: Restricted Fields

  • spec.containers[*].securityContext.capabilities.drop
  • spec.initContainers[*].securityContext.capabilities.drop
  • spec.ephemeralContainers[*].securityContext.capabilities.drop

Allowed Values

  • Any list of capabilities that includes ALL

For securityContext.capabilities.add: Restricted Fields

  • spec.containers[*].securityContext.capabilities.add
  • spec.initContainers[*].securityContext.capabilities.add
  • spec.ephemeralContainers[*].securityContext.capabilities.add

Allowed Values

  • Undefined/nil
  • NET_BIND_SERVICE

Kyverno Policy

Refer to the Nirmata curated policies - disallow-capabilities-strict.yaml

References

Configuration Settings

The below configuration indicates that in an resource, if securityContext.capabilities.drop is present, ALL should be part of that.

securityContext:
  capabilities:
    drop:
    - ALL

The below configuration indicates that in an resource, if securityContext.capabilities.add is present, the only acceptable value is NET_BIND_SERVICE. Any other value leads to non-conformance with this security control. If securityContext.capabilities.add is not present at all, then the resource is conformant by default.

securityContext:
  capabilities:
    add:
    - NET_BIND_SERVICE

Resource Example

Below is a Deployment resource example where securityContext.capabilities.drop is set to ALL.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          capabilities:
            drop:
            - ALL

Below is a Deployment resource example where securityContext.capabilities.add is set to NET_BIND_SERVICE for both the containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: addcap-gooddeployment05
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
      - name: container02
        image: dummyimagename
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE