Capability errors occur when requesting Linux capabilities denied by security policies. Fix by reviewing Pod Security Standards, dropping unnecessary capabilities, and adding only required ones.
Linux capabilities provide fine-grained control over privileged operations. When Kubernetes reports "capability not allowed," it means the Pod Security Policy, Pod Security Standard, or AppArmor/SELinux policies block the requested capability. This prevents the container from performing operations that require elevated privileges.
Review pod events and container logs for specific capability:
kubectl describe pod <pod-name>
kubectl logs <pod-name>Look for capability name in error message (e.g., CAP_NET_ADMIN).
Know what capabilities are allowed at each level:
kubectl get psp # Check Pod Security Policies
kubectl label namespace default pod-security.kubernetes.io/enforce=baselineRestricted (default): no capabilities
Baseline: allows some common ones
Unrestricted: allows most
Start with secure baseline and add only what is needed:
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
- NET_RAWAlways use UPPERCASE for capability names.
Linux capabilities must be in UPPERCASE with CAP_ prefix:
- Correct: CAP_NET_ADMIN, CAP_SYS_TIME, CAP_NET_BIND_SERVICE
- Wrong: cap_net_admin, NetAdmin, net_admin
See Linux man pages for full list of capabilities.
By default, non-root containers cannot use capabilities. If needed:
securityContext:
runAsUser: 0 # Run as root
capabilities:
add:
- CAP_NET_ADMINPrefer dropping ALL and adding specific capabilities instead.
For workloads needing capabilities, adjust namespace policy:
kubectl label namespace default \
pod-security.kubernetes.io/enforce=baseline \
--overwriteUse baseline carefully - unrestricted is rarely needed.
Verify AppArmor/SELinux is not blocking capability:
kubectl get pod <pod> -o yaml | grep -i apparmor
grep DENIED /var/log/audit/audit.logUpdate AppArmor profile to allow capability if necessary.
Test pod locally before cluster deployment:
kubectl apply -f pod.yaml --dry-run=serverThis validates against current Pod Security Policies.
For production, maintain restrictive security contexts by default. Document why each capability is needed. Use Kubernetes RBAC to limit who can deploy containers with elevated capabilities. Consider alternative approaches: use sidecar containers with required capabilities, use network policies instead of CAP_NET_ADMIN, or use host networking carefully. Monitor capability usage via audit logs.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes