Drop CAP_NET_RAW

Capabilities permit privileged actions without giving full root access. The CAP_NET_RAW capability, enabled by default, allows processes in a container to forge packets and bind to any interface potentially leading to MitM attacks. This policy ensures that all containers explicitly drop the CAP_NET_RAW ability.

Policy Definition

/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: drop-cap-net-raw
 5  annotations:
 6    policies.kyverno.io/title: Drop CAP_NET_RAW
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Capabilities permit privileged actions without giving full root access. The
13      CAP_NET_RAW capability, enabled by default, allows processes in a container to
14      forge packets and bind to any interface potentially leading to MitM attacks.
15      This policy ensures that all containers explicitly drop the CAP_NET_RAW
16      ability.            
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21    - name: require-drop-cap-net-raw
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      preconditions:
28        all:
29        - key: "{{ request.operation || 'BACKGROUND' }}"
30          operator: NotEquals
31          value: DELETE
32      validate:
33        message: >-
34                    Containers must drop the `CAP_NET_RAW` capability.
35        foreach:
36          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
37            deny:
38              conditions:
39                all:
40                - key: CAP_NET_RAW
41                  operator: AnyNotIn
42                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"

Create policy issue