Risks

Securing Kubernetes Pods: How to Prevent Unwanted Privileged Processes and Enhance Your System's Security

Risks of adding privileged processes in pods

Unless otherwise specified, anyone can add Linux capabilities at their convenience, even in the container.

For example, pods or nodes can get the capability CAP_NET_BIND_SERVICE, which can be used to open privileged ports. So, you can open ports in the cluster, so that you can access the cluster from outside.

In the podsecuritypolicy the following entry should be preserved by default:

  requiredDropCapabilities:
    - ALL

(As of Kubernetes 1.25 use PodSecurityAdmission instead of PodSecurityPolicies, as the feature became deprecated)

follow these measures

Capabilities

Any Questions?

Please feel free to contact us for any question that is not answered yet.

We are looking forward to get in contact with you!

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

Telefon:

+49 7433 93724 00
Mail:

This email address is being protected from spambots. You need JavaScript enabled to view it.

Legal

Download Area

Certified as

KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184.