lacework-global-651
Minimize the execution of container workloads sharing the host network namespace (Automated)
Profile Applicability
• Level 1
Description
Do not generally permit the running of containers with the hostNetwork flag set to true.
Rationale
A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods.
Impact
Pods defined with spec.hostNetwork: true
will not be permitted.
Audit
The following command returns pods which have the spec.hostNetwork
flag set to true
.
Run the command and verify that it does not return any pods:
kubectl get pods -o jsonpath="{range.items[?(@.spec.hostNetwork==true)]}{.metadata.name}{'\n'}{end}"
Remediation
Update pod configurations to ensure that the spec.hostNetwork flag is false or not set (defaults to false if not set).
The following example explicitly sets the hostNetwork flag to false:
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
hostNetwork: false
containers:
- name: hello-world
image: hello-world
References
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#podspec-v1-core
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod