Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed.
kustomize build https://github.com/kyverno/policies/pod-security/default/ | kubectl apply -f -
This command installs policies with
validateFailureAction: enforce and hence will block resources that violate policies. Alternatively, you can clone the Git repo to install the policies.
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces.
HostPath volumes let pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed.
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list.
Privileged mode disables most security mechanisms and must not be allowed.
The default /proc masks are set up to reduce attack surface and should be required.
SELinux options can be used to escalate privileges and should not be allowed.
On supported hosts, the ‘runtime/default’ AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles.
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed “safe” subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.