KA-C010: Dangerous capabilities added

Error Security PSS Baseline

CIS Kubernetes Benchmark v1.8, Section 5.2.7: Minimize the admission of containers with added capabilities

Why This Matters

The container adds Linux capabilities that are not in the PSS Baseline allowed set. Capabilities like SYS_ADMIN, NET_RAW, and ALL grant excessive privileges that can lead to container breakout. PSS Baseline profile restricts capabilities.add to a safe subset.

How to Fix

Remove dangerous capabilities from securityContext.capabilities.add

Before (incorrect)

securityContext:
  capabilities:
    add:
      - SYS_ADMIN
      - NET_RAW

After (correct)

securityContext:
  capabilities:
    drop:
      - ALL

Rule Details

Rule Code: KA-C010
Severity: Error
Category: Security

Related Rules

KA-C001 Error

Container runs as privileged

KA-C002 Error

Privilege escalation allowed

KA-C005 Error

Running with UID 0 (root)

KA-C006 Error

Host PID namespace shared

KA-C007 Error

Host IPC namespace shared