rspec/rules/S5849/kubernetes/rule.adoc

include::../common/description.adoc[]

== Ask Yourself Whether

include::../common/ask-yourself.adoc[]

== Recommended Secure Coding Practices

include::../common/recommended.adoc[]

== Sensitive Code Example

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    securityContext:
      capabilities:
        add: ["SYS_ADMIN"] # Sensitive
----

== Compliant Solution

[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
----


== See

* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container
* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7)


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure setting capabilities is safe here.


'''
== Comments And Links
(visible only on this page)



endif::env-github,rspecator-view[]