C-0044 - Container hostPort

Container hostPort


DevOpsBest, YAML-scanning, AllControls, NSA, ArmoBest



Description of the the issue

Workloads (like pod, deployment, etc) that contain a container with hostport. The problem that arises is that if the scale of your workload is larger than the number of nodes in your Kubernetes cluster, the deployment fails. And any two workloads that specify the same HostPort cannot be deployed to the same node. In addition, if the host where your pods are running becomes unavailable, Kubernetes reschedules the pods to different nodes. Thus, if the IP address for your workload changes, external clients of your application will lose access to the pod. The same thing happens when you restart your pods — Kubernetes reschedules them to a different node if available. 

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check for each workload (with container) if it exists inside the container hostPort.  


Avoid usage of hostPort unless it is absolutely necessary, in which case define appropriate exception. Use NodePort / ClusterIP instead.


apiVersion: v1
kind: Pod
  name: firstpod
  - name: container
    image: nginx
    - containerPort: 80
      hostPort: 8080 #we look for this attribute

Did this page help you?