This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Someone deployed a container with one or more of the following capabilities in a GKE cluster that has an elevated security context:
- CAP_SYS_MODULE
- CAP_SYS_RAWIO
- CAP_SYS_PTRACE
- CAP_SYS_BOOT
- CAP_DAC_READ_SEARCH
- CAP_NET_ADMIN
- CAP_BPF
These capabilities have been used before to escape from containers and should be provisioned with caution.
- Review the container's security context in its Pod definition. Identify any capabilities that are not strictly necessary for its function.
- Remove or reduce excessive capabilities whenever possible. Use the principle of least privilege.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.