5.2.9 Minimize the admission of containers with capabilities assigned

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Do not generally permit containers with capabilities


Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.

In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized.


Pods with containers which require capabilities to operate will not be permitted.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities.

Default Value:

By default, OpenShift 4 clusters include the following SCCs:

anyuid Required Drop Capabilities: MKNOD

hostaccess Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID

hostmount-anyuid Required Drop Capabilities: MKNOD

hostnetwork Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID

node-exporter Required Drop Capabilities: <none>

non-root Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID

privileged Required Drop Capabilities: <none>

restricted Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID

See Also