配置合理的CAP
漏洞解析
扫描样例:
[control: Linux hardening] failed 😥
Description: Often, containers are given more privileges than actually needed. This behavior can increase the impact of a container compromise.
Namespace security
Deployment - nginx
Summary - Passed:0 Warning:0 Failed:1 Total:1
Remediation: Make sure you define at least one linux security hardening property out of AppArmor, Seccomp, SELinux or Capabilities.
描述:
如果程序以特权身份运行,应尽量降低其权限。因为很多默认权限/能力程序本身并不需要,其存在可能被攻击者利用。
加固方案
建议DROP
掉所有CAP
: 基于容器的securityContext.capabilities
字段配置
apiVersion: v1
kind: Pod
metadata:
name: api-server
spec:
containers:
- name: api-server
image: xzxwl/api-server-demo:latest
securityContext:
capabilities:
drop:
- ALL
add:
- CHOWN
按需添加
apiVersion: v1
kind: Pod
metadata:
name: api-server
spec:
containers:
- name: api-server
image: xzxwl/api-server-demo:latest
securityContext:
capabilities:
drop:
- ALL
add:
- CHOWN
关于CAP
部分解析请参考: