polaris/checks/insecureCapabilities.yaml

successMessage: Container does not have any insecure capabilities
failureMessage: Container should not have insecure capabilities
category: Security
target: Container
schema:
  '$schema': http://json-schema.org/draft-07/schema
  type: object
  required:
  - securityContext
  properties:
    securityContext:
      type: object
      required:
      - capabilities
      properties:
        capabilities:
          type: object
          required:
          - drop
          properties:
            drop:
              type: array
              oneOf:
              - contains:
                  pattern: '^(?i)ALL$'
              - allOf:
                - contains:
                    pattern: '^(?i)NET_ADMIN$'
                - contains:
                    pattern: '^(?i)CHOWN$'
                - contains:
                    pattern: '^(?i)DAC_OVERRIDE$'
                - contains:
                    pattern: '^(?i)FSETID$'
                - contains:
                    pattern: '^(?i)FOWNER$'
                - contains:
                    pattern: '^(?i)MKNOD$'
                - contains:
                    pattern: '^(?i)NET_RAW$'
                - contains:
                    pattern: '^(?i)SETGID$'
                - contains:
                    pattern: '^(?i)SETUID$'
                - contains:
                    pattern: '^(?i)SETFCAP$'
                - contains:
                    pattern: '^(?i)SETPCAP$'
                - contains:
                    pattern: '^(?i)NET_BIND_SERVICE$'
                - contains:
                    pattern: '^(?i)SYS_CHROOT$'
                - contains:
                    pattern: '^(?i)KILL$'
                - contains:
                    pattern: '^(?i)AUDIT_WRITE$'
mutations:
  - op: replace
    path: /securityContext/capabilities
    value: {"drop": ["ALL"]}