Container capabilities must only include NET_BIND_SERVICE
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The container is configured with excessive Linux capabilities, rather than dropping all by default and only allowing NET_BIND_SERVICE. This increases the container’s privileges beyond what is necessary for binding to low ports.
Impact#
If exploited, attackers could leverage unnecessary capabilities to escalate privileges or compromise the host, increasing the risk of container breakout or unauthorized access to system resources.
Resolution#
Set ‘spec.containers[].securityContext.capabilities.drop’ to ‘ALL’ and only add ‘NET_BIND_SERVICE’ to ‘spec.containers[].securityContext.capabilities.add’.