Containers with NET_RAW capability admitted
Description
NET_RAW is a default permissive setting in Kubernetes allowing ICMP traffic between containers and grants an application the ability to craft raw packets. In the hands of an attacker NET_RAW can enable a wide variety of networking exploits from within the cluster.
Code Example
yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
requiredDropCapabilities:
+ -ALL
or
+ -NET_RAWRemediation
Kubernetes
- Resource: PodSecurityPolicy
- Arguments: requiredDropCapabilities (Optional) Defines the capabilities which must be dropped from containers.
These capabilities are removed from the default set, and must not be added. NET_RAW capability is removed when the field includes it specifically, or when it includes ALL.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1085 |
| Severity | LOW |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_7 |