yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod

profile photo of returntocorpreturntocorp
Author
418
Download Count*

Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.

Run Locally

Run in CI

Defintion

rules:
  - id: hostnetwork-pod
    patterns:
      - pattern-inside: |
          spec:
            ...
      - pattern: |
          hostNetwork: true
    message: Pod may use the node network namespace. This gives the pod access to
      the loopback device, services listening on localhost, and could be used to
      snoop on network activity of other pods on the same node. Remove the
      'hostNetwork' key to disable this functionality.
    metadata:
      cwe:
        - "CWE-406: Insufficient Control of Network Message Volume (Network
          Amplification)"
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
      category: security
      technology:
        - kubernetes
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - yaml
    severity: WARNING

Examples

hostnetwork-pod.test.yaml

apiVersion: v1
kind: Pod
metadata:
  name: view-pid
spec:
  # ruleid: hostnetwork-pod
  hostNetwork: true
  containers:
    - name: nginx
      image: nginx