Pod Security Policies Advisor - Container Running with Uncontrolled Linux Capabilities

Overview

Kubernetes allows pods to have specific node capabilities without providing full root access. If left unchecked, a pod can gain much more access than it should, leaving your cluster vulnerable to do unwanted and unwarranted action that could leave your systems inoperable

How Magalix Helps?

By default, Magalix KubeAdvisor’s Pod Security Policies Advisor ships with Container with uncontrolled Linux capabilities. We can detect against one cluster, or all of your clusters, when pods are scheduled with certain root level capabilities enabled.

Identifying the Issue

Issues Dashboard

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.

You’ll be brought to your Issues Dashboard. The top half of the page will display donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

In the lower half of the page, locate Container running with uncontrolled Linux capabilities.

Issue Page

On the Issue page, you will see how many entities are out of compliance along with a description of the Advisor.

If you scroll down, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.

Recommendation Page

1- Description

In every policy, we give a brief explanation of our policy.

2- Evidence

As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for capabilities in your securityContext to see if any are running with "SYS_ADMIN", "NET_ADMIN", or "ALL" capabilities set.

3- Resolution

This area provides suggestions on how you can resolve the violation.

4- History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

By default, containers run with certain Linux capabilities. Adding additional capabilities, such as "SYS_ADMIN", "NET_ADMIN", or "ALL" can be quite dangerous. Magalix provides you an enabled Advisor, out of the box, to ensure we are capturing each time a pod is scheduled with these Linux capabilities. Check to see if any of your containers have Linux admin capabilities now so you can remedy any unnecessary privileges.