CAP_SYS_ADMIN Linux capability is used
Description
Capabilities permit certain named root actions without giving full root access and are considered a fine-grained permissions model. We recommend all capabilities should be dropped from a pod, with only those required added back. There are a large number of capabilities, with CAP_SYS_ADMIN bounding most. CAP_SYS_ADMIN is a highly privileged access level equivalent to root access and should generally be avoided.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
securityContext:
capabilities:
add:
- -SYS_ADMINRemediation
Kubernetes
- Resource: Container
- Arguments: securityContext:capabilities:add (Optional) Add capabilities field allows granting certain privileges to a process.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1117 |
| Severity | HIGH |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_39 |