Minimize the admission of containers which use HostPorts
Do not generally permit containers which require the use of HostPorts, Host ports connect containers directly to the host's network. This can bypass controls such as network policy.
Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.80
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesPod should not have spec.containers contain [ ports contain [ hostPort!=0 ] ] or spec.initContainers contain [ ports contain [ hostPort!=0 ] ]
REMEDIATION
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use hostPort sections.
References
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS Kubernetes Benchmark v1.23
Updated about 1 year ago