Containers with added capability are allowed
Description
Using the Linux capabilities feature you can grant certain privileges to a process without granting all the privileges of the root user. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes and networking settings of a cluster. We recommend you only use privileges that are required for the proper function of the cluster. To add or remove Linux capabilities for a container, you can include the capabilities field in the securityContext section of the container manifest.
Code Example
yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
- allowedCapabilities:Remediation
Kubernetes
- Resource: PodSecurityPolicy
- Arguments: allowedCapabilities (Optional)
Provides a list of capabilities that may be added to a container beyond the default set.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1102 |
| Severity | LOW |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_24 |