Back to Security Rules

Rule Metadata

Last updated: 2024-01-15
🔴
Severity
CRITICAL
🛡️
Category
Workload & Runtime Security
Version
v1.0.0
Downloads
1.2K
Author: Spotter Security Team
Created: 2024-01-10
Compliance:
CIS NIST

No Drop Capabilities for Containers

Containers should explicitly drop all capabilities by default and only add back those that are absolutely necessary.

YAML Configuration

rule.yaml YAML 
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-008
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "No Drop Capabilities for Containers"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-266"
    rules.spotter.dev/description: "Containers should explicitly drop all capabilities by default and only add back those that are absolutely necessary."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
          - "extensions"
        versions:
          - "v1"
          - "v1beta1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude: 
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && (
      (has(object.spec.containers) && object.spec.containers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) ||
        (!c.securityContext.capabilities.drop.exists(cap, cap == "ALL") && !c.securityContext.capabilities.drop.exists(cap, cap == "all"))
      )) ||
      (has(object.spec.initContainers) && object.spec.initContainers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) ||
        (!c.securityContext.capabilities.drop.exists(cap, cap == "ALL") && !c.securityContext.capabilities.drop.exists(cap, cap == "all"))
      ))
    )) ||
    (object.kind != 'Pod' && (
      (has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) ||
        (!c.securityContext.capabilities.drop.exists(cap, cap == "ALL") && !c.securityContext.capabilities.drop.exists(cap, cap == "all"))
      )) ||
      (has(object.spec.template.spec.initContainers) && object.spec.template.spec.initContainers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) ||
        (!c.securityContext.capabilities.drop.exists(cap, cap == "ALL") && !c.securityContext.capabilities.drop.exists(cap, cap == "all"))
      ))
    ))
  remediation:
    manual: "Add capabilities.drop: [\"ALL\"] to the container's security context."
  references:
    - title: "Kubernetes Pod Security Standards (Restricted)"
      url: "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"