NET_RAW Capabilities Not Being Dropped

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-007
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "NET_RAW Capabilities Not Being Dropped"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-306"
    rules.spotter.dev/description: "NET_RAW capability must be dropped"
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
        - ''
        - apps
        versions:
        - v1
        kinds:
        - Pod
        - Deployment
        - StatefulSet
        namespaces:
          include:
          - '*'
          exclude:
          - kube-system
          - kube-public
        labels:
          exclude: 
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && (
      (has(object.spec.containers) && object.spec.containers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) || !c.securityContext.capabilities.drop.exists(cap, cap == "NET_RAW")
      )) ||
      (has(object.spec.initContainers) && object.spec.initContainers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) || !c.securityContext.capabilities.drop.exists(cap, cap == "NET_RAW")
      ))
    )) ||
    (object.kind != 'Pod' && (
      (has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) || !c.securityContext.capabilities.drop.exists(cap, cap == "NET_RAW")
      )) ||
      (has(object.spec.template.spec.initContainers) && object.spec.template.spec.initContainers.exists(c,
        !has(c.securityContext) || !has(c.securityContext.capabilities) || !has(c.securityContext.capabilities.drop) || !c.securityContext.capabilities.drop.exists(cap, cap == "NET_RAW")
      ))
    ))
  remediation:
    manual: "Drop NET_RAW capability in securityContext by adding it to the capabilities.drop list"
  references:
    - title: "CIS Kubernetes Benchmark v1.8.0"
      url: "https://www.cisecurity.org/benchmark/kubernetes"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: example
    spec:
      containers:
          - name: payment
            image: nginx
            securityContext:
              capabilities:
                drop:
                  - SYS_ADMIN
          - name: payment2
            image: nginx
          - name: payment4
            image: nginx
            securityContext:
              capabilities:
                add:
                  - NET_BIND_SERVICE
          - name: payment3
            image: nginx
            securityContext:
              allowPrivilegeEscalation: false

- name: insecure sample 2 should fail
  pass: false
  input: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: redis-unhealthy-deployment
      labels:
        app: redis
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: redis
      template:
        metadata:      
          labels:
            app: redis
        spec:
          hostNetwork: true
          hostPID: true 
          hostIPC: true
          containers:
          - name: redis
            image: redis:latest
            ports:
            - containerPort: 9001
              hostPort: 9001
            securityContext:
              privileged: true
              readOnlyRootFilesystem: false
              allowPrivilegeEscalation: true
              runAsUser: 0
              capabilities:
                add:
                  - NET_ADMIN

- name: secure sample 1 should pass
  pass: true
  input: |-
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: example
    spec:
      containers:
          - name: payment
            image: nginx
            securityContext:
              capabilities:
                drop:
                  - ALL
                add:
                  - NET_BIND_SERVICE
      privileged: false
      seLinux:
        rule: RunAsAny
      supplementalGroups:
        rule: RunAsAny
      runAsUser:
        rule: RunAsAny
      fsGroup:
        rule: RunAsAny
      volumes:
      - '*'

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-007
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-007
spec:
  # Add your VAP configuration here

Rule Metadata

NET_RAW Capabilities Not Being Dropped

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub