SYS_ADMIN capability added
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
Granting the SYS_ADMIN capability to containers gives processes inside the container root-level privileges, significantly expanding their control over the host system. This configuration bypasses key container isolation mechanisms and introduces serious security risks.
Impact#
If exploited, an attacker with access to the container could perform privileged operations such as mounting file systems, altering kernel parameters, or escaping the container to compromise the underlying host. This can lead to full system compromise, data breaches, and unauthorized control over other workloads in the cluster.
Resolution#
Remove the SYS_ADMIN capability from ‘containers[].securityContext.capabilities.add’.