Skip to main content

lacework-global-654

4.2.7 Minimize the execution of container workloads with the NET_RAW capability (Automated)

Profile Applicability

• Level 1

Description

Do not generally permit containers to be run with the potentially dangerous NET_RAW Linux capability.

Rationale

Containers run with a default set of capabilities as assigned by the Container Runtime. By default, this can include potentially dangerous capabilities. With Docker as the container runtime, the NET_RAW capability is enabled which may be misused by malicious containers.

All containers should drop this capability.

Impact

Pods with containers which run with the NET_RAW capability will not be permitted.

Audit

Get the configuration of all pods using the following command:

kubectl get pods -o json

Inspect the JSON output and ensure that, for each pod in .items[], all containers drop the NET_RAW capability either explicitly or by using the ALL alias in .spec.containers[].securityContext.capabilities.drop[].

If jq is available in the shell then pods which violate this principle can be found more easily. Run the following command and ensure that the output is an empty array:

kubectl get pods -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.drop | index("NET_RAW", "ALL") | not) | {name: .metadata.name}' | jq -s '.'

Remediation

By default, the Linux capabilities available to a container, as defined by the container runtime, can be fairly generous and may include the NET_RAW capability.

To ensure the NET_RAW capability is not available to a container it is necessary to ensure pod configurations explicitly drop it.

The following example configures a container within a pod to explicitly drop the NET_RAW capability:

apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
capabilities:
drop: ["NET_RAW"]

For added security, it is possible to explicitly drop all the default capabilities offered by the container runtime by using the ALL alias. The following example demonstrates this:

apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: hello-world
image: hello-world
securityContext:
capabilities:
drop: ["ALL"]

References

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core https://man7.org/linux/man-pages/man7/capabilities.7.html