Pods should not run containers with the NET_RAW capability¶

Description¶

NET_RAW capability is present by default, but is unnecessary in most applications. An attacker could leverage NET_RAW to spy on network traffic or to generate IP traffic with spoofed addresses.

Remediation Steps¶

Kubernetes Manifest (YAML)¶

Ensure that each container in a Kubernetes.Pod drops the NET_RAW or ALL capabilities in a securityContext

Example Configuration¶

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo1
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["ALL"]

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo2
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["NET_RAW"]

Documentation Links¶

Kubernetes Manifest¶

Set Capabilities for a Container