Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Security Capabilites must omit the CAP prefix which is required by Kyverno policies #1166

Open
2 tasks done
StraysWonderland opened this issue Sep 24, 2024 · 5 comments · May be fixed by #1168
Open
2 tasks done

[Bug] Security Capabilites must omit the CAP prefix which is required by Kyverno policies #1166

StraysWonderland opened this issue Sep 24, 2024 · 5 comments · May be fixed by #1168
Assignees
@epasham
Labels
bug Something isn't working

Comments

@StraysWonderland
Copy link

Kyverno Version

1.11

Kubernetes Version

1.26

Kubernetes Platform

EKS

Description

We have implemented a subset of the best practices policies on our aks cluster.
The issue I'm facing is related to the require-drop-cap-net-raw policy which can be found here within the kyverno policies repository

However this policy does only recognize a pod as passing the policy if the capability section is defined as:

securityContext:
  capabilities:
    drop:
      - CAP_NET_RAW

so with the CAP prefix

According to the official kubernetes documentation however, these capabilities should omit the CAP prefix as can be seen here:
image

And the problem is that kyverno does not seem to recognize resources dropping the capabilities in this manner:

securityContext:
  capabilities:
    drop: ["NET_RAW"]

Ive done a bit of testing on some pods and it seems that pods with the CAP_NET_RAW definition, tough passing the kyverno policy, are not actually dropping the security capabilities while pods with the NET_RAW definition fail kyverno but are correctly dropping the security capability.

Ive also visualised how kyverno fails/passes these different definitions in the kyverno playground via this test using the official kyverno policy and two pods with the different capability syntax.

And the playground test also shows that
CAP_NET_RAW is passing while
NET_RAW is failing

image

Steps to reproduce

  1. Implement the require-cap-net-raw policy - on audit mode ideally
  2. deploy a pod that specifies securityContext capabilities drop: CAP_NET_RAW
  3. deploy a second pod with the securityContext capabilities drop: NET_RAW

Expected behavior

Kyverno should allow the 2nd pod with NET_RAW syntax as according to kubernetes this is the correct way to drop the capability.
And likely not accept the CAP_NET_RAW definition as this does not actually seem to achieve what it should within the container.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@StraysWonderland StraysWonderland added the bug Something isn't working label Sep 24, 2024
@StraysWonderland StraysWonderland changed the title [Bug] [Bug] Kubernetes requires that Security Capabilites must omit the CAP prefix which is required by Kyverno policies Sep 24, 2024
@StraysWonderland StraysWonderland changed the title [Bug] Kubernetes requires that Security Capabilites must omit the CAP prefix which is required by Kyverno policies [Bug] Security Capabilites must omit the CAP prefix which is required by Kyverno policies Sep 24, 2024
@epasham
Copy link
Contributor

epasham commented Sep 26, 2024
edited
Loading

Can we modify the policy to support both CAP_NET_RAW and NET_RAW capabilities instead of omiting CAP prefix

@StraysWonderland
Copy link
Author

that would be an option.
However; My concern is that when specifying CAP_NET_RAW on your kubernetes resources, the pod still has the capabilities that should be dropped.
So while kyverno will say that all is fine and secure; the pod is still vulnerable to i.e. spoofing attacks as pods still have access to the NET_RAW capabilities.

My tests indicate that behaviour but I think ideally someone would need to confirm my suspicion to be sure about this.
If my suspicion is incorrect then allowing both is a suitable solution I believe

@epasham
Copy link
Contributor

epasham commented Sep 26, 2024

I have seen in some deployment manifests CAP_NET_RAW is used. It might be Operating system specific. For now, good option is to allow both CAP_NET_RAW and NET_RAW.

@epasham
Copy link
Contributor

epasham commented Sep 26, 2024
edited
Loading

The changes are done and tested. will be submitting the pull request shortly.

@epasham
Copy link
Contributor

epasham commented Sep 26, 2024
edited
Loading

PR is submitted #1168

@realshuting realshuting linked a pull request Sep 26, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@epasham epasham

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix for issue 1166: Allow CAP_NET_RAW and NET_RAW drop capabilities epasham/policies
2 participants
@epasham @StraysWonderland