Merge pull request #1168 from epasham/main

Fix for issue 1166: Allow CAP_NET_RAW and NET_RAW drop capabilities
kyverno · Oct 17, 2024 · 7c3df92 · 7c3df92
2 parents 45a6e62 + 372d7f4
commit 7c3df92
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
@@ -22,4 +22,20 @@ spec:
     securityContext:
       capabilities:
         drop:
-          - CAP_NET_RAW
+          - CAP_NET_RAW
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: drop-netraw-good
+spec:
+  containers:
+    - args:
+        - sleep
+        - infinity
+      image: ghcr.io/kyverno/test-busybox:1.35
+      name: busybox
+      securityContext:
+         capabilities:
+           drop:
+             - NET_RAW
diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Pod"
-digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784
+digest: 357011bf6ef0268a0ca1b248e0c7a59fc42e7f2017d02838c85711c329130676
diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
@@ -40,4 +40,7 @@ spec:
                 all:
                 - key: CAP_NET_RAW
                   operator: AnyNotIn
-                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+                - key: NET_RAW
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"