Launch excessively capable container

​

Event Information

​

Meaning

• The Launch Excessively Capable Container event in a Kubernetes cluster indicates that a container has been launched with more capabilities than necessary.
• This event could be a potential security risk as it increases the attack surface of the container, allowing it to perform actions that may not be required for its intended purpose.
• To address this event, it is recommended to review the container’s security context and limit the capabilities to only those that are essential for its functionality. This can be done by setting the “capabilities” field in the container’s security context to a more restricted set of capabilities. Use the kubectl edit pod <pod-name> command to modify the container’s security context.

​

Remediation

1. Identify the excessively capable container:
   • Use the Kubernetes API to list all the pods in the affected namespace.
   • Filter the pods based on the criteria mentioned in the event, such as resource limits or privileged containers.
2. Modify the pod manifest file:
   • Retrieve the manifest file of the identified pod using the Kubernetes API.
   • Update the manifest file to remove or adjust the resource limits or privileged status of the container causing the issue.
3. Apply the changes:
   • Use the Kubernetes API to apply the modified manifest file and update the pod.
   • Verify that the changes have been successfully applied by checking the pod’s status.