Risks of adding privileged processes in pods
Unless otherwise specified, anyone can add Linux capabilities at their convenience, even in the container.
For example, pods or nodes can get the capability CAP_NET_BIND_SERVICE, which can be used to open privileged ports. So, you can open ports in the cluster, so that you can access the cluster from outside.
In the podsecuritypolicy the following entry should be preserved by default:
requiredDropCapabilities: - ALL
(As of Kubernetes 1.25 use PodSecurityAdmission instead of PodSecurityPolicies, as the feature became deprecated)
Please feel free to contact us for any question that is not answered yet.
We are looking forward to get in contact with you!
Hinter Stöck 17
+49 7433 93724 00