Default capabilities: some containers do not drop all
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
Containers are not configured to drop all default Linux capabilities, which means they retain more privileges than necessary for their function. This increases the attack surface by allowing processes inside the container to perform potentially dangerous actions.
Impact#
If exploited, attackers who gain access to a container could leverage unused default capabilities to escalate privileges, interfere with the host system, or compromise other containers, increasing the risk of lateral movement and system compromise.
Resolution#
Add ‘ALL’ to containers[].securityContext.capabilities.drop.