Highly privileged CAP_SYS_ADMIN granted

ID

allowed_capabilities_sys_admin

Severity

high

Vendor

Kubernetes

Resource

General Security

Tags

reachable

Description

With capabilities, you can grant certain privileges to a process without granting all the privileges of the root user.

CAP_SYS_ADMIN is a highly privileged access level equivalent to root access to the host and should generally be avoided.

Learn more about this topic at Set capabilities for a Container.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
    - name: bad-container
      image: <container-image>
      securityContext:
        capabilities:
          add: ["SYS_ADMIN"] (1)
1 Provided SYS_ADMIN capability means root access to the host is granted.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good (1)
spec:
  containers:
    - name: good-container
      image: <container-image>
1 No SYS_ADMIN capability means root access to the host is not granted.