Description

Detects when Kubernetes containers are configured without explicitly dropping all capabilities. Container capabilities provide privileged access to host resources, so failing to drop unnecessary capabilities violates the principle of least privilege and increases the attack surface.

Detection Strategy

• Scans Kubernetes resource definitions (Pod, Deployment, etc.) for container specifications

• Checks if security context configuration exists for containers

• Verifies if capabilities.drop includes 'ALL' to ensure unnecessary privileges are removed

• Reports a vulnerability if containers lack the required capability dropping configuration

Vulnerable code example

resource "kubernetes_pod" "vulnerable_pod" {
  metadata {
    name = "vulnerable-pod"
  }
  spec {
    container {
      name  = "container"
      image = "nginx"...

✅ Secure code example

resource "kubernetes_pod" "secure_pod" {
  metadata {
    name = "secure-pod"
  }
  spec {
    automount_service_account_token = false  # Prevent access to service account credentials
    security_context {
      run_as_non_root = true  # Ensure pod runs as non-root user...