Guides
  1. kubernetes policies
  2. Pod Security Policies

Minimize the admission of containers with the NET_RAW capability (PSP)

Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.30
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

List<KubernetesPodSecurityPolicy> where items length() > 0 should have items contain [spec.requiredDropCapabilities contain ['NET_RAW' or 'ALL']]

REMEDIATION

CAC rule or PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.

References

  1. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies
  2. https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices

Updated 7 months ago