Lateral movement

Controller creating containers without dropped capabilities

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

Linux Capabilities refer to the division of the privileges, which are traditionally associated with superuser, into distinct units which can be independently enabled and disabled. The Kubernetes controller {K8sController} was found configured with settings that create containers without dropping any capabilities. This can mean that containers are running with more capabilities then they require. The capabilities of a container are defined in the SecurityContext of the container and are responsible for limiting the potential attack vectors beyond the pod-level context. These can limit the capabilities added to or dropped from a container. An attacker may use these unused capabilities to compromise the cluster.
  • Recommended Mitigation

    Consider adding dropped capabilities of the containers in {K8sController} controller in accordance with the Principle of Least Privileges