apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
securityContext:
runAsNonRoot: true