CAP_DROP

Definition

CAP_DROP is a Linux security feature used to remove specific capabilities from a process, thereby reducing its privilege level. Capabilities are fine-grained permissions that allow processes to perform privileged operations without granting them full root access. By dropping unnecessary capabilities, the attack surface is minimized, enhancing the security posture of applications running in containers or on Linux systems.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: my-secure-image
    securityContext:
      capabilities:
        drop:
        - NET_RAW
        - SYS_ADMIN

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: my-insecure-image
    securityContext:
      capabilities:
        drop: []