Kubernetes: Man in the middle leading to root privilege escalation using hostNetwork=true (CAP_NET_RAW considered harmful)

Summary: CAPNETRAW capability is still included by default in K8S, leading to yet another attack. An attacker gaining access to a hostNetwork=true container with CAPNETRAW capability can listen to all the traffic going through the host and inject arbitrary traffic, allowing to tamper with most...