CAP_DROP set

Definition

CAP_DROP is a security feature used in Linux containers to remove specific capabilities from the default set granted to container processes. Capabilities are fine-grained permissions that allow processes to perform privileged operations without granting full root access. By dropping unnecessary capabilities, the attack surface is reduced, enhancing the security posture of the containerized application.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: my-secure-image
    securityContext:
      capabilities:
        drop:
        - NET_RAW
        - SYS_ADMIN

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: my-insecure-image
    securityContext:
      capabilities:
        drop: []