from
control
plane
Home
#
index
containers[] .resources .limits .cpu
containers[] .resources .limits .memory
containers[] .resources .requests .cpu
containers[] .resources .requests .memory
containers[] .securityContext .capabilities .add | index("SYS_ADMIN")
containers[] .securityContext .capabilities .drop | index("ALL")
containers[] .securityContext .privileged == true
containers[] .securityContext .readOnlyRootFilesystem == true
containers[] .securityContext .runAsNonRoot == true
containers[] .securityContext .runAsUser > 10000
securityContext capabilities
Service Accounts
.metadata .annotations ."container.apparmor.security.beta.kubernetes.io/nginx"
.metadata .annotations ."container.seccomp.security.alpha.kubernetes.io/pod"
.metadata .annotations ."seccomp.security.alpha.kubernetes.io/pod"
.spec .hostAliases
.spec .hostIPC
.spec .hostNetwork
.spec .hostPID
.spec .volumeClaimTemplates[] .spec .accessModes | index("ReadWriteOnce")
.spec .volumeClaimTemplates[] .spec .resources .requests .storage
.spec .volumes[] .hostPath .path == "/var/run/docker.sock"
More
Twitter
Edit this page
kubesec.io
>
index
> .spec .volumes[] .hostPath .path == "/var/run/docker.sock"
Mounting the docker.socket leaks information about other containers and can allow container breakout
.spec .volumes[] .hostPath .path == "/var/run/docker.sock"
Mounting the docker.socket leaks information about other containers and can allow container breakout
Built with
by
control
plane