Securing Kubernetes Pods: How to Prevent Unwanted Privileged Processes and Enhance Your System's Security
Securing Kubernetes Pods: How to Prevent Unwanted Privileged Processes and Enhance Your System's Security
Risks of adding privileged processes in pods
Unless otherwise specified, anyone can add Linux capabilities at their convenience, even in the container.
For example, pods or nodes can get the capability CAP_NET_BIND_SERVICE, which can be used to open privileged ports. So, you can open ports in the cluster, so that you can access the cluster from outside.
In the podsecuritypolicy the following entry should be preserved by default:
requiredDropCapabilities:
- ALL
(As of Kubernetes 1.25 use PodSecurityAdmission instead of PodSecurityPolicies, as the feature became deprecated)