Profile Applicability:

  • Level 1

Description:
 The NET_RAW capability in Linux allows containers to use raw sockets, which can be used for low-level networking tasks, such as packet sniffing or forging network packets. This check ensures that containers do not have the NET_RAW capability unless explicitly required for specific workloads, minimizing the security risks associated with this capability.

Rationale:
 Granting containers the NET_RAW capability can expose the host system to security risks, as it allows containers to perform operations such as sniffing network traffic or modifying network packets, which could lead to data interception, denial of service, or unauthorized access. By minimizing the use of NET_RAW, you reduce the attack surface of your Kubernetes cluster and prevent containers from having access to low-level networking operations unless absolutely necessary.

Impact:

Pros:

  • Enhances security by limiting the container's ability to perform low-level networking operations.

  • Reduces the risk of unauthorized access or manipulation of network traffic.

Cons:

  • Some applications, like network monitoring tools, may require the NET_RAW capability to function correctly.

  • Requires additional configuration to ensure containers that need this capability are the only ones assigned it.

Default Value:
 By default, Kubernetes does not assign NET_RAW to containers unless explicitly defined in the pod's security context. However, some containers may require this capability for specific use cases.

Pre-requisites:
 Ensure that PodSecurityPolicies (PSPs) or another security mechanism is configured to restrict or manage the assignment of the NET_RAW capability.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.

  2. Review the Pod specifications for containers that may have NET_RAW assigned in the security context.

  3. Ensure that NET_RAW is not assigned to containers unless absolutely necessary, and review the PodSecurityPolicies or admission controllers to enforce restrictions on this capability.

Using Azure CLI:

  1. List the current containers and check for the use of NET_RAW:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.capabilities.add}'

    Verify that NET_RAW is not added to the containers unless explicitly required by the workload.

  2. Ensure that PodSecurityPolicies or other admission controllers are properly configured to restrict the assignment of NET_RAW.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to Azure Kubernetes Service (AKS) and review the Pod configurations.

Modify the Pod security context to restrict the use of NET_RAW by removing it from the capabilities list:

securityContext:
  capabilities:
    add: []
    drop: ["NET_RAW"]

Apply a PodSecurityPolicy (if available) that prevents the use of NET_RAW unless required. For example:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-netraw
spec:
  allowedCapabilities: []
  requiredDropCapabilities: ["NET_RAW"]

  1. Ensure that this policy is applied and enforced through RBAC and Kubernetes Admission Control.

Using Azure CLI:

To restrict NET_RAW, update the Pod specification YAML to drop this capability:

securityContext:
  capabilities:
    drop: ["NET_RAW"]

  1. Apply the updated Pod specification:

     kubectl apply -f pod-spec.yaml
    If using PodSecurityPolicies to enforce this rule, create a policy YAML file to drop NET_RAW:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-netraw
spec:
  allowedCapabilities: []
  requiredDropCapabilities: ["NET_RAW"]

  1. Apply the PodSecurityPolicy using:

     kubectl apply -f pod-security-policy.yaml


Backout Plan:

Using Azure Console:

  1. If restricting NET_RAW causes issues with legitimate workloads, revert the changes by modifying the PodSecurityPolicy or updating the container’s security context to allow NET_RAW.

Using Azure CLI:

Revert the Pod specification by adding NET_RAW back into the add list of the capabilities section:

securityContext:
  capabilities:
    add: ["NET_RAW"]

  1. Apply the configuration:

     kubectl apply -f pod-spec.yaml


  2. Revert any PodSecurityPolicy changes by deleting the policy with:

     kubectl delete podsecuritypolicy restrict-netraw


References:

  1. Kubernetes Security Context Documentation

  2. Kubernetes PodSecurityPolicy Documentation
    Azure Kubernetes Service (AKS) Security Best Practices