Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range.
This recipe has no required configuration options. It can be activated by adding a dependency on org.openrewrite.recipe:rewrite-kubernetes:2.3.0 in your build file or by running a shell command (in which case no build changes are needed):
---type:specs.openrewrite.org/v1beta/recipename:org.openrewrite.kubernetes.LimitContainerCapabilitiesdisplayName:Limit root capabilities in a containerdescription: Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range.
tags: - kubernetesrecipeList: - org.openrewrite.kubernetes.AddConfiguration:resourceKind:PodconfigurationPath:$.spec.containersvalue:securityContext:capabilities:drop: - ALL
See how this recipe works across multiple open-source repositories
The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.
Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.