Action Item: Avoiding Container Dangerous Capabilities

Containers should not have dangerous capabilities. Learn how Fairwinds Insights scans your Kubernetes clusters for this.


Hello, my name is James. I work as a software engineer at Fairwinds. Today I'm going to talk a little bit about containers running with some dangerous capabilities.

If you go to the Docker documentation, you can search by "Linux capabilities" and you see every option you can add or remove related to Linux capabilities. The idea here is it should not run a container with capabilities you don't need. The more capabilities you have, the more exposed you are to attacks.

Here I have a card cluster running locally. I have the deploy.yaml file and this deploy.yaml file has a busybox running with some high privilege capabilities. I am just deploying this.

Here in my local cluster, I have Insights agent running, and it will send a report to Insights. In Insights, I go to action items, then I choose my cluster and I'm going to filter the title. Here is my is my busybox container. So Insights reporting has a danger capability and explaining how you fix that right in your workload configuration. It should remove the high capability by editing securityContext.capabilities.

Let's go to the file. Instead of adding, I'm going to add, "Drop." Saving this. I'm going to delete my pod, and I am applying again. It's running. Let's wait a little bit until the agent sends a new report. This report is provided by Fairwinds Polaris.

Let me filter by my cluster again and dangerous capabilities. Okay. Let me wait a little bit more. Refresh the page. Filtering by my cluster. You see now the action item is gone because I have fixed it. The container config in my cluster, that's how you can check Insights. And one container that's running with danger capabilities and how you fixed it and how Insights get reported that workload was fixed.