Back to catalog

Drop All Capabilities

No violationsstackroxlowdeploy

Alert when a deployment does not drop all capabilities.

Rationale
Because capabilities permit privileged operations, it is a recommended best practice to drop all capabilities that a deployment can have, and then add only the capabilities that the deployment needs.
Remediation
Ensure that the deployment manifest has `drop: ALL` in the securityContext section of the container manifest.
CategoriesDevOps Best Practices
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.9
ISO/IEC 27001 2022
A.8.25
SOC 2 2017 TSC
CC8.1

Generated artifacts

3 of 5 targets supported
drop-all-capabilities.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: drop-all-capabilities
  annotations:
    policies.kyverno.io/title: Drop All Capabilities
    policies.kyverno.io/category: DevOps Best Practices
    policies.kyverno.io/severity: low
    policies.kyverno.io/description: Alert when a deployment does not drop all capabilities.
    policies.kyverno.io/remediation: "Ensure that the deployment manifest has `drop: ALL` in the securityContext section of the container manifest."
    policies.kyverno.io/rationale: Because capabilities permit privileged operations, it is a recommended best practice to drop all capabilities that a deployment can have, and then add only the capabilities that the deployment needs.
    policies.io/source: stackrox
    policies.io/source-id: dd478ad6-b9c9-4abf-92e0-847408aecb8d
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: drop-all-capabilities
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Drop All Capabilities" violated: Alert when a deployment does not drop all capabilities.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].securityContext.capabilities.drop[] || `[]` }}"
                operator: AllNotIn
                value:
                  - ALL
      exclude:
        any:
          - resources:
              namespaces:
                - stackrox
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - istio-system
IR (canonical)
{
  "id": "dd478ad6-b9c9-4abf-92e0-847408aecb8d",
  "name": "Drop All Capabilities",
  "description": "Alert when a deployment does not drop all capabilities.",
  "rationale": "Because capabilities permit privileged operations, it is a recommended best practice to drop all capabilities that a deployment can have, and then add only the capabilities that the deployment needs.",
  "remediation": "Ensure that the deployment manifest has `drop: ALL` in the securityContext section of the container manifest.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on stackrox namespace",
      "namespace": "stackrox"
    },
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "drop-capabilities",
    "values": [
      "ALL"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "dd478ad6-b9c9-4abf-92e0-847408aecb8d",
  "name": "Drop All Capabilities",
  "description": "Alert when a deployment does not drop all capabilities.",
  "rationale": "Because capabilities permit privileged operations, it is a recommended best practice to drop all capabilities that a deployment can have, and then add only the capabilities that the deployment needs.",
  "remediation": "Ensure that the deployment manifest has `drop: ALL` in the securityContext section of the container manifest.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on stackrox namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Drop Capabilities",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "ALL"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}