Skip to content

Add support for checking Capabilities set when using PSA/PSS restricted #591

New issue
New issue
Open
Open
Add support for checking Capabilities set when using PSA/PSS restricted#591
@wargamez

Description

@wargamez
wargamez
opened on Mar 17, 2024

When using psa restricted, one of the requirements is that you must set
capabilities:
drop: ["ALL"]

Capabilities (v1.22+)
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. This is Linux only policy in v1.25+ (.spec.os.name != "windows")

Please add a check for this:
https://kubernetes.io/docs/concepts/security/pod-security-standards/

/E

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions