Specific capabilities added
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
The configuration adds Linux capabilities to containers beyond the default set, violating Kubernetes Pod Security Standards. Granting extra capabilities can expose the container to elevated privileges and increase the attack surface.
Impact#
Attackers could exploit the additional capabilities to perform unauthorized actions within the container, potentially leading to privilege escalation, lateral movement, or compromise of the host system and other resources in the Kubernetes cluster.
Resolution#
Do not set spec.containers[].securityContext.capabilities.add and spec.initContainers[].securityContext.capabilities.add.