Ensure admission of containers with NET_RAW capability is minimized
Error: Admission of containers with NET_RAW capability is not minimized
Bridgecrew Policy ID: BC_K8S_27
Checkov Check ID: CKV_K8S_28
Severity: LOW
Admission of containers with NET_RAW capability is not minimized
Description
NET_RAW capability allows the binary to use RAW and PACKET sockets as well as binding to any address for transparent proxying. The ep stands for “effective” (active) and “permitted” (allowed to be used).
With Docker as the container runtime NET_RAW capability is enabled by default and may be misused by malicious containers. We recommend you define at least one PodSecurityPolicy (PSP) to prevent containers with NET_RAW capability from launching.
Fix - Buildtime
Kubernetes
- Resource: Container
- Argument: securityContext:capabilities:drop (Optional)
Capabilites field allows granting certain privileges to a process without granting all the privileges of the root user. when drop includes ALL or NET_RAW, the NET_RAW capability is disabled.
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
securityContext:
capabilities:
drop:
+ - NET_RAW
+ - ALL
Updated 10 months ago