Containers With Added Capabilities

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-006
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "Containers With Added Capabilities"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-266"
    rules.spotter.dev/description: "Containers should not add Linux capabilities beyond the default set, as this can increase the attack surface."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude: 
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && (
      (has(object.spec.containers) && object.spec.containers.exists(c,
        has(c.securityContext) && has(c.securityContext.capabilities) && has(c.securityContext.capabilities.add) && size(c.securityContext.capabilities.add) > 0 &&
        !(has(c.securityContext.capabilities.drop) && c.securityContext.capabilities.drop.exists(cap, cap == 'ALL') &&
          c.securityContext.capabilities.add.all(addCap, addCap == 'NET_BIND_SERVICE'))
      )) ||
      (has(object.spec.initContainers) && object.spec.initContainers.exists(c,
        has(c.securityContext) && has(c.securityContext.capabilities) && has(c.securityContext.capabilities.add) && size(c.securityContext.capabilities.add) > 0 &&
        !(has(c.securityContext.capabilities.drop) && c.securityContext.capabilities.drop.exists(cap, cap == 'ALL') &&
          c.securityContext.capabilities.add.all(addCap, addCap == 'NET_BIND_SERVICE'))
      ))
    )) ||
    (object.kind != 'Pod' && (
      (has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c,
        has(c.securityContext) && has(c.securityContext.capabilities) && has(c.securityContext.capabilities.add) && size(c.securityContext.capabilities.add) > 0 &&
        !(has(c.securityContext.capabilities.drop) && c.securityContext.capabilities.drop.exists(cap, cap == 'ALL') &&
          c.securityContext.capabilities.add.all(addCap, addCap == 'NET_BIND_SERVICE'))
      )) ||
      (has(object.spec.template.spec.initContainers) && object.spec.template.spec.initContainers.exists(c,
        has(c.securityContext) && has(c.securityContext.capabilities) && has(c.securityContext.capabilities.add) && size(c.securityContext.capabilities.add) > 0 &&
        !(has(c.securityContext.capabilities.drop) && c.securityContext.capabilities.drop.exists(cap, cap == 'ALL') &&
          c.securityContext.capabilities.add.all(addCap, addCap == 'NET_BIND_SERVICE'))
      ))
    ))
  remediation:
    manual: "Review and remove any unnecessary added capabilities from the container's security context."
  references:
    - title: "Kubernetes Pod Security Standards (Restricted)"
      url: "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod2
    spec:
      containers:
      - name: app
        image: images.my-company.example/app:v4
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
               add: ["NET_ADMIN", "SYS_TIME"]
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
      - name: log-aggregator
        image: images.my-company.example/log-aggregator:v6
        securityContext:
          allowPrivilegeEscalation: false
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
- name: insecure sample 2 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod3
    spec:
      initContainers:
      - name: app
        image: images.my-company.example/app:v4
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
               add: ["NET_ADMIN", "SYS_TIME"]
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
      - name: log-aggregator
        image: images.my-company.example/log-aggregator:v6
        securityContext:
          allowPrivilegeEscalation: false
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
      containers:
      - name: app
        image: images.my-company.example/app:v4
- name: secure sample 1 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod1
    spec:
      containers:
      - name: app
        image: images.my-company.example/app:v4
        securityContext:
          allowPrivilegeEscalation: false
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"

      - name: log-aggregator
        image: images.my-company.example/log-aggregator:v6
        securityContext:
          allowPrivilegeEscalation: false
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
- name: secure sample 2 should pass
  pass: true
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod4
    spec:
      containers:
      - name: app
        image: images.my-company.example/app:v4
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
            add:
              - NET_BIND_SERVICE
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
      - name: log-aggregator
        image: images.my-company.example/log-aggregator:v6
        securityContext:
          allowPrivilegeEscalation: false
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-006
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-006
spec:
  # Add your VAP configuration here

Rule Metadata

Containers With Added Capabilities

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub