Description
Containers must drop ALL
capabilities, and are only permitted to add back the NET_BIND_SERVICE
capability. This is Linux only policy
in v1.25+ (.spec.os.name != "windows"
)
For securityContext.capabilities.drop
:
Restricted Fields
- spec.containers[*].securityContext.capabilities.drop
- spec.initContainers[*].securityContext.capabilities.drop
- spec.ephemeralContainers[*].securityContext.capabilities.drop
Allowed Values
- Any list of capabilities that includes ALL
For securityContext.capabilities.add
:
Restricted Fields
- spec.containers[*].securityContext.capabilities.add
- spec.initContainers[*].securityContext.capabilities.add
- spec.ephemeralContainers[*].securityContext.capabilities.add
Allowed Values
- Undefined/nil
- NET_BIND_SERVICE
Kyverno Policy
Refer to the Nirmata curated policies - disallow-capabilities-strict.yaml
References
Configuration Settings
The below configuration indicates that in an resource, if securityContext.capabilities.drop
is present, ALL
should be part of that.
securityContext:
capabilities:
drop:
- ALL
The below configuration indicates that in an resource, if securityContext.capabilities.add
is present, the only acceptable value is NET_BIND_SERVICE
. Any other value leads to non-conformance with this security control. If securityContext.capabilities.add
is not present at all, then the resource is conformant by default.
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
Resource Example
Below is a Deployment
resource example where securityContext.capabilities.drop
is set to ALL
.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
capabilities:
drop:
- ALL
Below is a Deployment
resource example where securityContext.capabilities.add
is set to NET_BIND_SERVICE
for both the containers.
apiVersion: apps/v1
kind: Deployment
metadata:
name: addcap-gooddeployment05
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- name: container02
image: dummyimagename
securityContext:
capabilities:
add:
- NET_BIND_SERVICE