Do not admit containers with NET_RAW capability
Error: Containers with NET_RAW capability admitted
Bridgecrew Policy ID: BC_K8S_6
Checkov Check ID: CKV_K8S_7
Containers with NET_RAW capability admitted
NET_RAW is a default permissive setting in Kubernetes allowing ICMP traffic between containers and grants an application the ability to craft raw packets.
In the hands of an attacker NET_RAW can enable a wide variety of networking exploits from within the cluster.
Fix - Buildtime
- Resource: PodSecurityPolicy
- Argument: requiredDropCapabilities (Optional)
Defines the capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. NET_RAW capability is removed when the field includes it specifically, or when it includes ALL.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: <policy name> spec: requiredDropCapabilities: + -ALL or + -NET_RAW
To use a PodSecurityPolicy resource, the requesting user or target pod’s service account must be authorized to use the policy. The preferred method is to grant access to the service account. In the following example we use RBAC, a standard Kubernetes authorization mode.
First, a Role or ClusterRole needs to grant access to use the desired policies.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: <role name> rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - <policy name>
The ClusterRole is then bound to the authorized service(s):
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <binding name> roleRef: kind: ClusterRole name: <role name> apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: <authorized service account name> namespace: <authorized pod namespace>
Updated 4 months ago