Add exception: Least privileged Linux capabilities should be enforced for containers [Medium]

[emirgens]

To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. We recommend dropping all capabilities, then adding those that are required.

• [ ] Add exception for nginx

Sample from list: ingress-nginx/ingress-nginx-controller-597555d48f-qsjmf

Others needs to be remediated

Manual remediation:

1. Make sure lists of dropped capabilities and allowed capabilities are configured, via the security policy parameters. Recommend to set parameter 'Required drop capabilities' as ["ALL"] to enforce to drop all capabilities. The recommendation by default will only block to add capacities.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the running containers with capabilities outside the configured list.
3. Limit the containers' Linux capabilities. To add or remove Linux capabilities for a container, include a capabilities section in the securityContext section of the container manifest with the relevant capabilities set e.g. Drop: ALL ; add: ["NET_ADMIN", "SYS_TIME"]. Read more 1, 2
4. After making your changes, redeploy the pod with the updated capabilities.

[Richard87]

We should keep chroot enabled on ingress-nginx:

https://kubernetes.io/blog/2022/04/28/ingress-nginx-1-2-0/