yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod

semgrep

Author

418

Download Count*

License

Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: hostnetwork-pod
    patterns:
      - pattern-inside: |
          spec:
            ...
      - pattern: |
          hostNetwork: true
    message: Pod may use the node network namespace. This gives the pod access to
      the loopback device, services listening on localhost, and could be used to
      snoop on network activity of other pods on the same node. Remove the
      'hostNetwork' key to disable this functionality.
    metadata:
      cwe:
        - "CWE-406: Insufficient Control of Network Message Volume (Network
          Amplification)"
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
      category: security
      technology:
        - kubernetes
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - yaml
    severity: WARNING

Examples

hostnetwork-pod.test.yaml

apiVersion: v1
kind: Pod
metadata:
  name: view-pid
spec:
  # ruleid: hostnetwork-pod
  hostNetwork: true
  containers:
    - name: nginx
      image: nginx

Short Link: https://sg.run/E51A