Ensure admission of containers with NET_RAW capability is minimized

Error: Admission of containers with NET_RAW capability is not minimized

Bridgecrew Policy ID: BC_K8S_27
Checkov Check ID: CKV_K8S_28
Severity: LOW

Admission of containers with NET_RAW capability is not minimized

Description

NET_RAW capability allows the binary to use RAW and PACKET sockets as well as binding to any address for transparent proxying. The ep stands for “effective” (active) and “permitted” (allowed to be used).

With Docker as the container runtime NET_RAW capability is enabled by default and may be misused by malicious containers. We recommend you define at least one PodSecurityPolicy (PSP) to prevent containers with NET_RAW capability from launching.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: securityContext:capabilities:drop (Optional)
    Capabilites field allows granting certain privileges to a process without granting all the privileges of the root user. when drop includes ALL or NET_RAW, the NET_RAW capability is disabled.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
      capabilities:
        drop:
+        - NET_RAW
+        - ALL

Did this page help you?