Pods should not run containers with the NET_RAW capability¶
Description¶
NET_RAW capability is present by default, but is unnecessary in most applications. An attacker could leverage NET_RAW to spy on network traffic or to generate IP traffic with spoofed addresses.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that each container in a Kubernetes.Pod drops the
NET_RAW
orALL
capabilities in asecurityContext
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: sec-demo1
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
drop: ["ALL"]
apiVersion: v1
kind: Pod
metadata:
name: sec-demo2
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
drop: ["NET_RAW"]