Skip to content

Admission of containers with NET_RAW capability is not minimized

Description

NET_RAW capability allows the binary to use RAW and PACKET sockets as well as binding to any address for transparent proxying. The ep stands for “effective” (active) and “permitted” (allowed to be used).

With Docker as the container runtime NET_RAW capability is enabled by default and may be misused by malicious containers. We recommend you define at least one PodSecurityPolicy (PSP) to prevent containers with NET_RAW capability from launching.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: securityContext:capabilities:drop (Optional)
    Capabilites field allows granting certain privileges to a process without granting all the privileges of the root user. when drop includes ALL or NET_RAW, the NET_RAW capability is disabled.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
      capabilities:
        drop:
+        - NET_RAW
+        - ALL