Lateral movement

Controller creating containers without dropped capabilities

Risk Level

Informational (4)

Platform(s)
  • N/A

Description

Linux Capabilities refer to the division of the privileges, which are traditionally associated with superuser, into distinct units which can be independently enabled and disabled. The Kubernetes controller {K8sController} was found configured with settings that create containers without dropping any capabilities. This can mean that containers are running with more capabilities then they require. The capabilities of a container are defined in the SecurityContext of the container and are responsible for limiting the potential attack vectors beyond the pod-level context. These can limit the capabilities added to or dropped from a container. An attacker may use these unused capabilities to compromise the cluster.
  • Recommended Mitigation

    Consider adding dropped capabilities of the containers in {K8sController} controller in accordance with the Principle of Least Privileges