<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

New! Magalix brings you the SaC (Security-as-Code) podcast. Listen now!

Exit icon Listen Now

Pod Security Policies Advisor - Container Running with Uncontrolled Linux Capabilities

DevOps Kubernetes Governance Policies
Pod Security Policies Advisor - Container Running with Uncontrolled Linux Capabilities
DevOps Kubernetes Governance Policies

Overview

Kubernetes allows pods to have specific node capabilities without providing full root access. If left unchecked, a pod can gain much more access than it should, leaving your cluster vulnerable to do unwanted and unwarranted action that could leave your systems inoperable

How Magalix Helps?

By default, Magalix KubeAdvisor’s Pod Security Policies Advisor ships with Container with uncontrolled Linux capabilities. We can detect against one cluster, or all of your clusters, when pods are scheduled with certain root level capabilities enabled.

Identifying the Issue

Issues Dashboard

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.Pod Security Policies Advisor - Container running with uncontrolled Linux capabilities

You’ll be brought to your Issues Dashboard. The top half of the page will display donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

In the lower half of the page, locate Container running with uncontrolled Linux capabilities.

Issue Page

On the Issue page, you will see how many entities are out of compliance along with a description of the Advisor.Pod Security Policies Advisor - Container running with uncontrolled Linux capabilities

If you scroll down, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.

Recommendation PagePod Security Policies Advisor - Container running with uncontrolled Linux capabilities

1- Description

In every policy, we give a brief explanation of our policy.

2- Evidence

As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for capabilities in your securityContext to see if any are running with "SYS_ADMIN", "NET_ADMIN", or "ALL" capabilities set.

3- Resolution

This area provides suggestions on how you can resolve the violation.

4- History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

By default, containers run with certain Linux capabilities. Adding additional capabilities, such as "SYS_ADMIN", "NET_ADMIN", or "ALL" can be quite dangerous. Magalix provides you an enabled Advisor, out of the box, to ensure we are capturing each time a pod is scheduled with these Linux capabilities. Check to see if any of your containers have Linux admin capabilities now so you can remedy any unnecessary privileges.

Check Now

Comments and Responses

Related Articles

The Shared Security Model - Dividing Responsibilities

Understanding the Shared Cloud Security Model and causes behind common data breaches.

Read more
How to Prevent Non-Secure Container Images from Being Deployed with Policy-As-Code

Security is critical to business continuity. As such, DevOps teams must prevent non-secure container images from being deployed. But how do you do it?

Read more
Using Affinity with nodeSelector and Policy-As-Code, and Exclusions

In a Kubernetes cluster, you have to leverage policy-as-code to enforce Node Affinity using nodeSelector. But how do you do go about it? Learn more.

Read more