Pods should not run containers with the NET_RAW capability Affecting Container service in Kubernetes


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Containers / Capabilities

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Kubernetes
  • Snyk ID SNYK-CC-00656
  • credit Snyk Research Team

Description

Pods should not run containers with the NET_RAW capability. NET_RAW capability is present by default, but is unnecessary in most applications. An attacker could leverage NET_RAW to spy on network traffic or to generate IP traffic with spoofed addresses.

How to fix?

Set the drop attribute to ALL/NET_RAW in spec.containers.securityContext.capabilities.

Example Configuration


apiVersion: v1
kind: Pod
metadata:
  name: valid
spec:
  containers:
  - name: hello
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        drop: ["NET_RAW"]

Kubernetes

Terraform