Pods should not run containers wishing to share the host network namespace

Description

A container that runs with hostNetwork set has the ability to interact with host services listening on localhost and potentially monitor traffic belonging to other pods. This opts-out of the network isolation provided by Linux network namespace mechanism.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that a Kubernetes.Pod has hostNetwork set to false, or not specified. By default, hostNetwork is set to false.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
  hostNetwork: false
# other required fields here