Json Yaml Capabilities Add Sys Admin
Description
Detects when Kubernetes container configurations grant dangerous SYS_ADMIN capabilities. Containers with SYS_ADMIN privileges can perform privileged system operations, effectively having root-level access which creates significant security risks in a Kubernetes cluster.
Detection Strategy
• Scans Kubernetes resource files (like Pod or Deployment specs) for container security context definitions
• Examines the 'capabilities.add' field in container specifications
• Alerts if 'SYS_ADMIN' capability (case-insensitive) is added to any container
• Reports each container configuration that includes this dangerous capability
Vulnerable code example
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
containers:
- name: container-1
image: nginx...✅ Secure code example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
labels:
app: web
spec:
automountServiceAccountToken: false # Prevent automatic mounting of service account tokens...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.