containers[] .securityContext .capabilities .add | index("SYS_ADMIN")

CAP_SYS_ADMIN is the most privileged capability and should always be avoided

Capabilities permit certain named root actions without giving full root access. They are a more fine-grained permissions model, and all capabilities should be dropped from a pod, with only those required added back.

There are a large number of capabilities, with CAP_SYS_ADMIN bounding most. Never enable this capability - it’s equivalent to root.

Example


---
apiVersion: extensions/v1beta1
kind: Deployment
...
      containers:
      - name: payment
        image: nginx
        securityContext:
          capabilities:
            drop:
              - all
            add:
              - NET_BIND_SERVICE

Notes

  • Drop all capabilities from a pod as above
  • Add only those required
  • Run a comprehensive test suite to ensure security extensions have not blocked functionality that your containers or pods require

Try it on Katacoda

Built with by controlplane