yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod
semgrep
Author
418
Download Count*
License
Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.
Run Locally
Run in CI
Defintion
rules:
- id: hostnetwork-pod
patterns:
- pattern-inside: |
spec:
...
- pattern: |
hostNetwork: true
message: Pod may use the node network namespace. This gives the pod access to
the loopback device, services listening on localhost, and could be used to
snoop on network activity of other pods on the same node. Remove the
'hostNetwork' key to disable this functionality.
metadata:
cwe:
- "CWE-406: Insufficient Control of Network Message Volume (Network
Amplification)"
references:
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
category: security
technology:
- kubernetes
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
languages:
- yaml
severity: WARNING
Examples
hostnetwork-pod.test.yaml
apiVersion: v1
kind: Pod
metadata:
name: view-pid
spec:
# ruleid: hostnetwork-pod
hostNetwork: true
containers:
- name: nginx
image: nginx
Short Link: https://sg.run/E51A