Interview › Security & DevSecOps
What are Linux capabilities, and why drop them in containers? [Advanced]
Answer
Linux capabilities split root privileges into smaller permission units such as NET_ADMIN, SYS_ADMIN, CHOWN, and NET_BIND_SERVICE. Containers should drop unnecessary capabilities because a process running with extra capabilities can escape intended restrictions or increase impact after compromise.
Technical explanation
By default, containers may receive capabilities they do not need.
Dropping ALL and adding back only what is required follows least privilege.
Some capabilities, especially SYS_ADMIN, are broad and should be avoided unless there is a strong reason.
Hands-on example
Example: a web service does not need NET_ADMIN or SYS_PTRACE. Configure capabilities.drop: ['ALL']. If it must bind to port 80, prefer a higher container port mapped by the Service, or add only NET_BIND_SERVICE if absolutely required.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]