Admission of containers with NET_RAW capability is not minimized

Description

NET_RAW capability allows the binary to use RAW and PACKET sockets as well as binding to any address for transparent proxying. The ep stands for "`effective`" (active) and "`permitted`" (allowed to be used). With Docker as the container runtime NET_RAW capability is enabled by default and may be misused by malicious containers. We recommend you define at least one PodSecurityPolicy (PSP) to prevent containers with NET_RAW capability from launching.

Code Example

yaml

apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
      capabilities:
        drop:
+        - NET_RAW
+        - ALL

Remediation

Kubernetes

Resource: Container
Arguments: securityContext:capabilities:drop (Optional) Capabilites field allows granting certain privileges to a process without granting all the privileges of the root user. when drop includes ALL or NET_RAW, the NET_RAW capability is disabled.

Rule Details

Field	Value
ID	IAC-1106
Severity	LOW
IaC Type	Kubernetes
Frameworks	Kubernetes,
Checkov ID	CKV_K8S_28

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Admission of containers with NET_RAW capability is not minimized

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Admission of containers with NET_RAW capability is not minimized ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Admission of containers with NET_RAW capability is not minimized

Description

Code Example

Remediation

Rule Details

References