Lateral movement

Controller creating containers without dropped capabilities

  • N/A

Compliance Frameworks


Linux Capabilities refer to the division of the privileges, which are traditionally associated with superuser, into distinct units which can be independently enabled and disabled. The Kubernetes controller {K8sController} was found configured with settings that create containers without dropping any capabilities. This can mean that containers are running with more capabilities then they require. The capabilities of a container are defined in the SecurityContext of the container and are responsible for limiting the potential attack vectors beyond the pod-level context. These can limit the capabilities added to or dropped from a container. An attacker may use these unused capabilities to compromise the cluster.