Skip to main content

KA-C011: Capabilities not dropped

Warning Security PSS Restricted

CIS Kubernetes Benchmark v1.8, Section 5.2.7: Minimize the admission of containers with added capabilities

Why This Matters

The container does not drop ALL capabilities. Without capabilities.drop: ["ALL"], the container retains the default Linux capability set. PSS Restricted profile requires spec.containers[*].securityContext.capabilities.drop to include ALL.

How to Fix

Add capabilities.drop: ["ALL"] to the container securityContext

Before (incorrect)

containers:
  - name: app
    securityContext:
      runAsNonRoot: true

After (correct)

containers:
  - name: app
    securityContext:
      runAsNonRoot: true
      capabilities:
        drop:
          - ALL

Rule Details

Rule Code
KA-C011
Severity
Warning
Category
Security

Related Rules

KA-C001 Error

Container runs as privileged
KA-C002 Error

Privilege escalation allowed
KA-C005 Error

Running with UID 0 (root)
KA-C006 Error

Host PID namespace shared
KA-C007 Error

Host IPC namespace shared