Least privileged Linux capabilities should be enforced for containers

What does this mean?

Linux capabilities grant specific root-like powers to processes. This recommendation enforces that containers only receive the minimum required capabilities, reducing the potential impact of a container compromise.

Benefits of implementation

• Limits the blast radius if a container is compromised
• Follows the principle of least privilege
• Required by CIS Kubernetes Benchmark

Drawbacks and considerations

• Some applications may require specific capabilities to function
• Requires understanding of Linux capabilities per workload
• May break existing workloads if applied without testing

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.