SYS_MODULE capability added
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
Granting the SYS_MODULE capability to containers allows them to load or unload kernel modules, which bypasses key security boundaries. This exposes the container host to elevated risks, as it grants extensive control over the underlying system.
Impact#
If exploited, an attacker with access to such a container could install malicious kernel modules or alter system-level behavior, potentially leading to privilege escalation, host compromise, and full control over the infrastructure.
Resolution#
To mitigate potential security risks, it is strongly recommended to remove the SYS_MODULE capability from ‘containers[].securityContext.capabilities.add’. It is advisable to follow the practice of dropping all capabilities and only adding the necessary ones.