Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Someone deployed a container with one or more of the following capabilities in
a GKE cluster that has an elevated security context:
CAP_SYS_MODULE
CAP_SYS_RAWIO
CAP_SYS_PTRACE
CAP_SYS_BOOT
CAP_DAC_READ_SEARCH
CAP_NET_ADMIN
CAP_BPF
These capabilities have been used before to escape from containers and should
be provisioned with caution.
How to respond
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
To respond to this finding, do the following:
Review the container's security context in its Pod definition. Identify any
capabilities that are not strictly necessary for its function.
Remove or reduce excessive capabilities whenever possible. Use the
principle of least privilege.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Execution: GKE launch excessively capable container\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nSomeone deployed a container with one or more of the following capabilities in\na GKE cluster that has an elevated security context:\n\n- CAP_SYS_MODULE\n- CAP_SYS_RAWIO\n- CAP_SYS_PTRACE\n- CAP_SYS_BOOT\n- CAP_DAC_READ_SEARCH\n- CAP_NET_ADMIN\n- CAP_BPF\n\nThese capabilities have been used before to escape from containers and should\nbe provisioned with caution.\n\nHow to respond\n--------------\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nTo respond to this finding, do the following:\n\n1. Review the container's security context in its Pod definition. Identify any capabilities that are not strictly necessary for its function.\n2. Remove or reduce excessive capabilities whenever possible. Use the principle of least privilege.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
