During a security audit of a microservices application deployed on Cisco Container Platform, the auditor discovers that some containers are running with privileged access. The development team argues that certain containers need to modify kernel parameters. Which security best practice should be recommended to minimize risk while allowing necessary kernel adjustments?
This grants only the required capabilities, reducing the attack surface compared to privileged mode.
Why this answer
Option A is correct because it follows the principle of least privilege by granting only the specific Linux capability (CAP_SYS_ADMIN) needed to modify kernel parameters, rather than full privileged access. In Kubernetes (used by Cisco Container Platform), a security context with `capabilities.add: ['SYS_ADMIN']` allows the container to perform privileged operations like sysctl modifications without exposing the host or other containers to the broader risks of privileged mode.
Exam trap
Cisco often tests the distinction between privileged mode and individual capabilities, where candidates mistakenly think setting `privileged: false` is required alongside capability addition, or that running as root is necessary for kernel modifications.
How to eliminate wrong answers
Option B is wrong because setting `privileged: false` is redundant when adding SYS_ADMIN capability; the security context already defaults to non-privileged, and the phrasing implies a separate privileged flag is needed, which is not the case. Option C is wrong because running as root user with CAP_SYS_ADMIN removed would prevent the container from modifying kernel parameters, directly contradicting the requirement. Option D is wrong because dropping all capabilities and running as non-root would completely block any kernel parameter changes, failing to meet the development team's need.