SYS_ADMIN capability should not be added to the container

Severity	Exploitability	Providers	Categories
HIGH	MEDIUM	Kubernetes	PERMISSION

Description

SYS_ADMIN is the most privileged capability for a container. It is equivalent to root and should always be avoided.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

SYS_ADMIN capability enables to perform a range of system administration operations, and thus exposes the machine on which the container runs to various attacks.

Remediation guidelines

Remove SYS_ADMIN from the container capabilities. This can be done by changing 'containers[].securityContext.capabilities.add'.

References

Kubernetes Doc - Configure a Security Context for a Pod or Container
Linux manual - Capabilities

SYS_ADMIN capability should not be added to the container

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

SYS_ADMIN capability should not be added to the container

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References