Risks

  • Home
  • Kubernetes
  • Risks
  • Securing Kubernetes Pods: How to Prevent Unwanted Privileged Processes and Enhance Your System's Security

Securing Kubernetes Pods: How to Prevent Unwanted Privileged Processes and Enhance Your System's Security

Risks of adding privileged processes in pods

Unless otherwise specified, anyone can add Linux capabilities at their convenience, even in the container. 

For example, pods or nodes can get the capability CAP_NET_BIND_SERVICE, which can be used to open privileged ports. So, you can open ports in the cluster, so that you can access the cluster from outside.       

In the podsecuritypolicy the following entry should be preserved by default:

  requiredDropCapabilities:
    - ALL

(As of Kubernetes 1.25 use PodSecurityAdmission instead of PodSecurityPolicies, as the feature became deprecated)


follow these measures

Any Questions?

Please feel free to contact us for any question that is not answered yet. 

We are looking forward to get in contact with you!

Newsletter

Design Escapes

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

  • Telefon:

    +49 7433 93724 00

  • Mail:

    This email address is being protected from spambots. You need JavaScript enabled to view it.

Download Area

Certified as


KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184. 

© KubeOps GmbH. All rights reserved. Subsidiary of

KubeOps is certified as