C-0044 - Container hostPort

Framework

WorkloadScan, security, DevOpsBest, ArmoBest, NSA, AllControls

Severity

Medium

Description of the the issue

Workloads (like pod, deployment, etc) that contain a container with hostport. The problem that arises is that if the scale of your workload is larger than the number of nodes in your Kubernetes cluster, the deployment fails. And any two workloads that specify the same HostPort cannot be deployed to the same node. In addition, if the host where your pods are running becomes unavailable, Kubernetes reschedules the pods to different nodes. Thus, if the IP address for your workload changes, external clients of your application will lose access to the pod. The same thing happens when you restart your pods — Kubernetes reschedules them to a different node if available. 

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check for each workload (with container) if it exists inside the container hostPort.  

Remediation

Avoid usage of hostPort unless it is absolutely necessary, in which case define appropriate exception. Use NodePort / ClusterIP instead.

Example

apiVersion: v1
kind: Pod
metadata:
  name: firstpod
spec:
  containers:
  - name: container
    image: nginx
    ports:
    - containerPort: 80
      hostIP: 10.0.0.1
      hostPort: 8080 #we look for this attribute