Drop CAP_NET_RAW

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: drop-cap-net-raw
 5  annotations:
 6    policies.kyverno.io/title: Drop CAP_NET_RAW
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Capabilities permit privileged actions without giving full root access. The
13      CAP_NET_RAW capability, enabled by default, allows processes in a container to
14      forge packets and bind to any interface potentially leading to MitM attacks.
15      This policy ensures that all containers explicitly drop the CAP_NET_RAW
16      ability. Note that this policy also illustrates how to cover drop entries in any
17      case although this may not strictly conform to the Pod Security Standards.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22    - name: require-drop-cap-net-raw
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28      preconditions:
29        all:
30        - key: "{{ request.operation || 'BACKGROUND' }}"
31          operator: NotEquals
32          value: DELETE
33      validate:
34        message: >-
35          Containers must drop the `CAP_NET_RAW` capability.
36        foreach:
37          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
38            deny:
39              conditions:
40                all:
41                - key: CAP_NET_RAW
42                  operator: AnyNotIn
43                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
44                - key: NET_RAW
45                  operator: AnyNotIn
46                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"