Host network namespace sharing is allowed
ID |
share_host_network_namespace |
Severity |
low |
Vendor |
Kubernetes |
Resource |
PodSecurityPolicy |
Tags |
reachable |
Description
In a Kubernetes cluster, every pod gets its own IP address. Pods can be treated much like VMs or physical hosts from the perspectives of port allocation, naming, service discovery, load balancing, application configuration, and migration.
When sharing host network namespace is enabled the host could be visible to other containers in the pod.
Preventing sharing of host PID/IPC namespace, networking, and ports ensures proper isolation between Docker containers and the underlying host.
Examples
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: bad
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true (1)
hostPorts:
- min: 0
max: 65535
hostPID: true
hostIPC: true| 1 | Configuration hostNetwork set to true means host network is shared, breaking the isolation between container images and can make the host visible to other containers in the pod. |
Mitigation / Fix
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: good
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: false (1)
hostPorts:
- min: 0
max: 65535
hostPID: false
hostIPC: false| 1 | Configuration hostNetwork set to false means host network is not shared. |