capabilities • Docker has already blocked some capabilities such as SYS_ADMIN, NET_ADMIN, and so on ◦ but thoughtlessly adding other capabilities will have unexpected security risks ◦ Whitelist some components • Related CVE: CVE-2020-14386 ◦ Allows escape from a container to obtain root privileges ◦ This is related to CAP_NET_RAW ▪ Enables ARP (Address Resolution Protocol) spoofing attacks