C-0041 - HostNetwork access
Framework
WorkloadScan, ClusterScan, security, ArmoBest, NSA, AllControls
Severity
High
Description of the the issue
We have it in ArmoBest
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Remediation
Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.
Example
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
containers:
- image: ubuntu
name: ubuntu
hostNetwork: true # we look for this attribute
Updated 9 days ago