lacework-global-654
4.2.7 Minimize the execution of container workloads with the NET_RAW capability (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit containers to be run with the potentially dangerous NET_RAW
Linux capability.
Rationale
Containers run with a default set of capabilities as assigned by the Container Runtime. By default, this can include potentially dangerous capabilities. With Docker as the container runtime, the NET_RAW
capability is enabled which may be misused by malicious containers.
All containers should drop this capability.
Impact
Pods with containers which run with the NET_RAW
capability will not be permitted.
Audit
Get the configuration of all pods using the following command:
kubectl get pods -o json
Inspect the JSON output and ensure that, for each pod in .items[]
, all containers drop the NET_RAW
capability either explicitly or by using the ALL
alias in .spec.containers[].securityContext.capabilities.drop[]
.
If jq
is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:
kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.drop | index("NET_RAW", "ALL") | not) | {name: .metadata.name}' | jq -s '.'
Remediation
By default, the Linux capabilities available to a container, as defined by the container runtime, can be fairly generous and may include the NET_RAW
capability.
To ensure the NET_RAW
capability is not available to a container it is necessary to ensure pod configurations explicitly drop it.
The following example configures a container within a pod to explicitly drop the NET_RAW
capability:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
capabilities:
drop: ["NET_RAW"]
For added security, it is possible to explicitly drop all the default capabilities offered by the container runtime by using the ALL
alias. The following example demonstrates this:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
capabilities:
drop: ["ALL"]
References
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core https://man7.org/linux/man-pages/man7/capabilities.7.html