in policy/check_capabilities_restricted.go [72:129]
func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var (
containersMissingDropAll []string
containersAddingForbidden []string
forbiddenCapabilities = sets.NewString()
)
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext == nil || container.SecurityContext.Capabilities == nil {
containersMissingDropAll = append(containersMissingDropAll, container.Name)
return
}
droppedAll := false
for _, c := range container.SecurityContext.Capabilities.Drop {
if c == capabilityAll {
droppedAll = true
break
}
}
if !droppedAll {
containersMissingDropAll = append(containersMissingDropAll, container.Name)
}
addedForbidden := false
for _, c := range container.SecurityContext.Capabilities.Add {
if c != capabilityNetBindService {
addedForbidden = true
forbiddenCapabilities.Insert(string(c))
}
}
if addedForbidden {
containersAddingForbidden = append(containersAddingForbidden, container.Name)
}
})
var forbiddenDetails []string
if len(containersMissingDropAll) > 0 {
forbiddenDetails = append(forbiddenDetails, fmt.Sprintf(
`%s %s must set securityContext.capabilities.drop=["ALL"]`,
pluralize("container", "containers", len(containersMissingDropAll)),
joinQuote(containersMissingDropAll)))
}
if len(containersAddingForbidden) > 0 {
forbiddenDetails = append(forbiddenDetails, fmt.Sprintf(
`%s %s must not include %s in securityContext.capabilities.add`,
pluralize("container", "containers", len(containersAddingForbidden)),
joinQuote(containersAddingForbidden),
joinQuote(forbiddenCapabilities.List())))
}
if len(forbiddenDetails) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "unrestricted capabilities",
ForbiddenDetail: strings.Join(forbiddenDetails, "; "),
}
}
return CheckResult{Allowed: true}
}