配置合理的CAP

漏洞解析

扫描样例:

[control: Linux hardening] failed 😥
Description: Often, containers are given more privileges than actually needed. This behavior can increase the impact of a container compromise.
   Namespace security
      Deployment - nginx
Summary - Passed:0   Warning:0   Failed:1   Total:1
Remediation: Make sure you define  at least one linux security hardening property out of AppArmor, Seccomp, SELinux or Capabilities.

描述:

如果程序以特权身份运行,应尽量降低其权限。因为很多默认权限/能力程序本身并不需要,其存在可能被攻击者利用。

加固方案

建议DROP掉所有CAP: 基于容器的securityContext.capabilities字段配置

apiVersion: v1
kind: Pod
metadata:
  name: api-server
spec:
  containers:
    - name: api-server
      image: xzxwl/api-server-demo:latest
      securityContext:
        capabilities:
          drop:
            - ALL
          add:
            - CHOWN

按需添加

apiVersion: v1
kind: Pod
metadata:
  name: api-server
spec:
  containers:
    - name: api-server
      image: xzxwl/api-server-demo:latest
      securityContext:
        capabilities:
          drop:
            - ALL
          add:
            - CHOWN

关于CAP部分解析请参考:

Copyright © weiliang 2021 all right reserved,powered by Gitbook本书发布时间: 2024-04-22 16:03:41

results matching ""

    No results matching ""