Containers share the host network namespace
Description
When using the host network mode for a container, that container's network stack is not isolated from the Docker host, so the container shares the host's networking namespace and does not get its own IP-address allocation. To limit an attacker's options to escalate privileges from within a container, we recommend you to configure containers to not share the host network namespace.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
+ hostNetwork: false # or do not include hostNetworkRemediation
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Arguments: hostNetwork (Optional) If true, the Pod uses the host's network namespace. Default to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1097 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_19 |