C-0041 - HostNetwork access

Framework

WorkloadScan, ClusterScan, security, ArmoBest, NSA, AllControls

Severity

High

Description of the the issue

We have it in ArmoBest

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Remediation

Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.

Example

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
spec:
  containers:
  - image: ubuntu
    name: ubuntu
  hostNetwork: true # we look for this attribute