Prevent Additional Capabilities 1.1.5

Makes it impossible to start a container with additional capabilities.

Note that this policy is part of the following security standards:

k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.2.8
nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17, SYS.1.6.A21

Privilege Escalation
Security
bsi/containerization
cis/kubernetes
k8s/baseline
k8s/restricted
nist/SP.800-190

Applies to

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
-         securityContext:
-           capabilities:
-             add: ["CAP_NET_ADMIN"]

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventadditionalcapabilities as on the example below.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.preventadditionalcapabilities: |-
      This container needs additional capabilities to work properly.
...