ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5849/kubernetes/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

81 lines
2.2 KiB
Plaintext
Raw Blame History

Setting capabilities can lead to privilege escalation and container escapes.
Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.
== Ask Yourself Whether
Capabilities are granted:
* To a process that does not require all capabilities to do its job.
* To a not trusted process.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.
== Sensitive Code Example
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
securityContext:
capabilities:
add: ["SYS_ADMIN"] # Sensitive
----
== Compliant Solution
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
----
== See
* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment]
* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container
* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7)
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure setting capabilities is safe here.
'''
== Comments And Links
(visible only on this page)
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink