0
0
KubernetesHow-ToBeginner · 3 min read

How to Limit Capabilities in Kubernetes Pods for Security

To limit capabilities in a Kubernetes pod, use the securityContext field in the pod or container spec with capabilities to add or drop Linux capabilities. This controls what system privileges the container has, improving security by dropping unnecessary capabilities.
📐

Syntax

The securityContext field in a pod or container spec allows you to control Linux capabilities. You can use capabilities.drop to remove default capabilities and capabilities.add to add specific ones.

Example fields explained:

  • securityContext.capabilities.drop: List of capabilities to remove.
  • securityContext.capabilities.add: List of capabilities to add.
yaml
securityContext:
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE
💻

Example

This example shows a pod spec that drops all capabilities except NET_BIND_SERVICE, which allows binding to low ports. This limits the container's privileges to only what it needs.

yaml
apiVersion: v1
kind: Pod
metadata:
  name: limited-capabilities-pod
spec:
  containers:
  - name: nginx
    image: nginx:1.23
    securityContext:
      capabilities:
        drop:
          - ALL
        add:
          - NET_BIND_SERVICE
Output
Pod "limited-capabilities-pod" created
⚠️

Common Pitfalls

Common mistakes when limiting capabilities include:

  • Not dropping ALL capabilities first, which leaves default capabilities enabled.
  • Adding unnecessary capabilities, increasing security risk.
  • Setting capabilities at pod level but overriding at container level unintentionally.

Always verify the effective capabilities inside the container using kubectl exec and capsh --print.

yaml
Wrong example:
securityContext:
  capabilities:
    add:
      - NET_ADMIN

Right example:
securityContext:
  capabilities:
    drop:
      - ALL
    add:
      - NET_ADMIN
📊

Quick Reference

FieldDescription
securityContext.capabilities.dropList of Linux capabilities to remove from the container.
securityContext.capabilities.addList of Linux capabilities to add to the container.
ALLSpecial keyword to drop all capabilities.
NET_BIND_SERVICECapability to bind to ports below 1024.
NET_ADMINCapability to perform network-related operations.

Key Takeaways

Use securityContext.capabilities.drop to remove all default capabilities for better security.
Add only the minimal capabilities your container needs using securityContext.capabilities.add.
Verify capabilities inside the container to ensure your settings are effective.
Set capabilities at the container level to avoid unintended overrides.
Dropping unnecessary capabilities reduces the attack surface of your pods.

Related by keyword

How to Copy File from Pod in Kubernetes Using kubectl cpPodsHow to Copy File to Pod in Kubernetes QuicklyPodsHow to Create a Pod in Kubernetes: Simple StepsPodsHow to Delete a Pod in Kubernetes: Simple Commands ExplainedPodsHow to Describe a Pod in Kubernetes Using kubectlPods

Up next

How to Use Prometheus with Kubernetes for MonitoringPrometheus vs Datadog in Kubernetes: Key Differences and UsageHow to Check Container Logs in Kubernetes QuicklyHow to Check Pod Events for Debugging in Kubernetes

More in Security

How to Encrypt Secrets in Kubernetes: Simple GuideHow to Run Kubernetes Pod as Non-Root UserHow to Scan Images for Vulnerabilities in KubernetesHow to Secure Kubernetes Cluster: Best Practices and Examples