Limit Capabilities

Docker runs with only a portion of the Linux kernel capabilities by default. You can change it and drop some capabilities (using --cap-drop) to harden your docker containers, or add some capabilities (using --cap-add) if needed. Do not run containers with the --privileged flag - this will add ALL Linux kernel capabilities to the container.

The most secure setup is to drop all capabilities --cap-drop all and then add only required ones.

For example:

docker run --cap-drop all --cap-add CHOWN alpine

Do not run containers with the --privileged flag.

In kubernetes this can be configured in Security Context using capabilities field.

Copy

kind: ... 
apiVersion: ... 
metadata: 
  name: ... 
spec: 
...
  containers: 
  - name: ... 
    image: .... 
    securityContext: 
...
          capabilities: 
            drop: 
              - all 
            add: 
              - CHOWN 
...

As a Kubernetes cluster administrator, you can configure it using Pod Security Policies.