Minimize the admission of containers which use HostPorts

Do not generally permit containers which require the use of HostPorts, Host ports connect containers directly to the host's network. This can bypass controls such as network policy.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.80
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.containers contain [ ports contain [ hostPort!=0 ] ] or spec.initContainers contain [ ports contain [ hostPort!=0 ] ]

REMEDIATION

Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use hostPort sections.

References

  1. https://kubernetes.io/docs/concepts/security/pod-security-standards/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.23