🔒Pod Security Standards PSS-CapabilitiesDropAllRule: PSS-008high

Drop ALL capabilities

Description

Restricted level requires capabilities.drop:[ALL]; only NET_BIND_SERVICE may be added.

⚠️ Risk Impact

Default Linux capabilities (~14 in K8s) include attack-surface caps. Drop-ALL + re-add is the secure pattern.

🔍 How EchelonGraph Detects This

PSS-008Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

capabilities.drop:["ALL"] in containers. Re-add only what's needed (typically only NET_BIND_SERVICE for low ports).

💀 Real-World Attack Scenario

A container retained CAP_SETUID. Compromised, attacker used setuid to escalate to root within container.

💰 Cost of Non-Compliance

Capability-related escalation: contributes to container-escape.

📋 Audit Questions

  • 1.Drop-ALL pattern applied?
  • 2.Capabilities allowlist documented?

🎯 MITRE ATT&CK Mapping

T1068 — Exploitation for Privilege Escalation

⚡ Common Pitfalls

  • Drop specific caps only — others remain
  • No PSS enforcement

📈 Business Value

Drop-ALL is the strongest capability reduction pattern.

⏱️ Effort Estimate

Manual

Per-container

With EchelonGraph

EchelonGraph enforces via PSS Restricted

🔗 Cross-Framework References

CIS-K8S-5.2.10

Automate Pod Security Standards PSS-CapabilitiesDropAll compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →