<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Pod Security Policies Advisor - Container Running with Uncontrolled Linux Capabilities

DevOps Kubernetes Governance Policies
Pod Security Policies Advisor - Container Running with Uncontrolled Linux Capabilities
DevOps Kubernetes Governance Policies

Overview

Kubernetes allows pods to have specific node capabilities without providing full root access. If left unchecked, a pod can gain much more access than it should, leaving your cluster vulnerable to do unwanted and unwarranted action that could leave your systems inoperable

How Magalix Helps?

By default, Magalix KubeAdvisor’s Pod Security Policies Advisor ships with Container with uncontrolled Linux capabilities. We can detect against one cluster, or all of your clusters, when pods are scheduled with certain root level capabilities enabled.

Identifying the Issue

Issues Dashboard

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.Pod Security Policies Advisor - Container running with uncontrolled Linux capabilities

You’ll be brought to your Issues Dashboard. The top half of the page will display donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

In the lower half of the page, locate Container running with uncontrolled Linux capabilities.

Issue Page

On the Issue page, you will see how many entities are out of compliance along with a description of the Advisor.Pod Security Policies Advisor - Container running with uncontrolled Linux capabilities

If you scroll down, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.

Recommendation PagePod Security Policies Advisor - Container running with uncontrolled Linux capabilities

1- Description

In every policy, we give a brief explanation of our policy.

2- Evidence

As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for capabilities in your securityContext to see if any are running with "SYS_ADMIN", "NET_ADMIN", or "ALL" capabilities set.

3- Resolution

This area provides suggestions on how you can resolve the violation.

4- History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

By default, containers run with certain Linux capabilities. Adding additional capabilities, such as "SYS_ADMIN", "NET_ADMIN", or "ALL" can be quite dangerous. Magalix provides you an enabled Advisor, out of the box, to ensure we are capturing each time a pod is scheduled with these Linux capabilities. Check to see if any of your containers have Linux admin capabilities now so you can remedy any unnecessary privileges.

Check Now

Comments and Responses

Related Articles

Labeling Your Nodes is a Wise Move!

These are the situations when node labels play a crucial role. They are important enough that Kuberenetes advises adding well-known labels to your nodes

Read more
Human Generated Errors Through Bad Configuration in Kubernete Writeup

Human error is the most often cited cause of data breaches and hacks, containers and Kubernetes have a lot of knobs and dials which gives room for increasing misconfiguration error.

Read more
Writing Policies for Pods, Network Objects, and OPA

Magalix simplifies the question about policy such as “Where do you install it?”, “How to run it?”, “Where to run it?” etc.

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get started View Pricing
No Card Required