Do not admit containers with NET_RAW capability

Error: Containers with NET_RAW capability admitted

Bridgecrew Policy ID: BC_K8S_6
Checkov Check ID: CKV_K8S_7
Severity: LOW

Containers with NET_RAW capability admitted

Description

NET_RAW is a default permissive setting in Kubernetes allowing ICMP traffic between containers and grants an application the ability to craft raw packets.

In the hands of an attacker NET_RAW can enable a wide variety of networking exploits from within the cluster.

Fix - Buildtime

Kubernetes

  • Resource: PodSecurityPolicy
  • Argument: requiredDropCapabilities (Optional)
    Defines the capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. NET_RAW capability is removed when the field includes it specifically, or when it includes ALL.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
  requiredDropCapabilities: 
+	-ALL
or
+ -NET_RAW

To use a PodSecurityPolicy resource, the requesting user or target pod’s service account must be authorized to use the policy. The preferred method is to grant access to the service account. In the following example we use RBAC, a standard Kubernetes authorization mode.

First, a Role or ClusterRole needs to grant access to use the desired policies.

Kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <role name>
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - <policy name>

The ClusterRole is then bound to the authorized service(s):

Kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <binding name>
roleRef:
  kind: ClusterRole
  name: <role name>
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: <authorized service account name>
  namespace: <authorized pod namespace>