Containers wishing to share host network namespace admitted

Description

In a Kubernetes cluster, every pod gets its own IP address. Pods can be treated much like VMs or physical hosts from the perspectives of port allocation, naming, service discovery, load balancing, application configuration, and migration. Sharing the host network namespace breaks the isolation between container images and can make the host visible to other containers in the pod. In some cases, pods in the host network of a node can communicate with all pods on all nodes without using network address translation (NAT).

Code Example

yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
+ hostNetwork: false

Remediation

Kubernetes

Resource: PodSecurityPolicy
Arguments: hostNetwork (Optional) When set to false, Pods are unable to use their host's network namespace.

Rule Details

Field	Value
ID	IAC-1082
Severity	MEDIUM
IaC Type	Kubernetes
Frameworks	Kubernetes,
Checkov ID	CKV_K8S_4

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Containers wishing to share host network namespace admitted ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Containers wishing to share host network namespace admitted

Description

Code Example

Remediation

Rule Details

References