Capabilities permit certain named
root actions without giving full
root access. They are a more fine-grained permissions model, and all capabilities should be dropped from a pod, with only those required added back.
There are a large number of capabilities, with
CAP_SYS_ADMIN bounding most. Never enable this capability - it’s equivalent to
--- apiVersion: extensions/v1beta1 kind: Deployment ... containers: - name: payment image: nginx securityContext: capabilities: drop: - all add: - NET_BIND_SERVICE
Built with by controlplane