← all rules
iac/kubernetes/k8s-dangerous-capabilities
Dangerous Linux capability added
highKubernetesiac-kubernetes
What it detects
Adding capabilities like `ALL`, `SYS_ADMIN`, `NET_ADMIN`, or `SYS_PTRACE` via `securityContext.capabilities.add` hands the container powerful kernel privileges that are frequently abused for container escape.
Remediation
Drop all capabilities (`capabilities: { drop: ["ALL"] }`) and add back only the specific, minimal ones the workload requires.
How it runs
Run against YAML files that look like Kubernetes manifests (top-level `apiVersion:` + `kind:`). Line-based checks across multi-document files; Helm-templated lines are skipped.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.