Pods should not run containers with the NET_RAW capability Affecting Container service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00656
- creditSnyk Research Team
Description
Pods should not run containers with the NET_RAW capability. NET_RAW capability is present by default, but is unnecessary in most applications. An attacker could leverage NET_RAW to spy on network traffic or to generate IP traffic with spoofed addresses.
How to fix?
Set the drop attribute to ALL/NET_RAW in spec.containers.securityContext.capabilities.
Example Configuration
apiVersion: v1
kind: Pod
metadata:
name: valid
spec:
containers:
- name: hello
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
drop: ["NET_RAW"]
Set the drop attribute to ALL/NET_RAW in spec.container.security_context.capabilities.
Example Configuration
resource "kubernetes_pod" "example_pod656a1" {
metadata {
name = "example-pod-656a1"
labels = {
app = "example-656a1"
}
}
spec {
container {
image = "nginx:latest"
name = "nginx"
port {
container_port = 80
}
security_context {
capabilities {
drop = ["ALL"]
}
}
}
}
}