Profile Applicability:
• Level 1
Description:
Containers should not be allowed to run with the hostNetwork flag set to true unless absolutely necessary. This flag allows containers to share the host's network namespace, which can lead to security risks by providing the container access to the local loopback device and network traffic from other pods.
Rationale:
Containers running with the hostNetwork flag can interact with network traffic on the host and potentially gain access to sensitive internal data or disrupt other pods' network activity. To minimize this risk, at least one admission control policy should be defined to prevent the use of hostNetwork containers unless specifically required. These containers should be carefully controlled, and their use should be limited to specific service accounts or workloads.
Impact:
Pros:
Prevents containers from accessing host network interfaces, reducing the risk of network-based attacks.
Strengthens the isolation between containers and the host network.
Cons:
Some workloads, such as network monitoring or logging tools, may require access to the host network. These cases should be handled separately with specific permissions.
Default Value:
By default, Kubernetes does not restrict the creation of containers with the hostNetwork flag set to true.
Pre-requisites:
Access to the Kubernetes cluster with sufficient privileges to enforce Pod Security Policies (PSPs) or other admission control policies.
Understanding of the workloads that may need to use the host network.
Remediation
Test Plan:
Using AWS Console:
Review the Pod Security Policies (PSPs) applied to each namespace to ensure that hostNetwork containers are not admitted without a specific policy.
Check the current pod configurations for the hostNetwork flag to verify that no unauthorized containers are sharing the host network namespace.
Using AWS CLI:
To find pods running with hostNetwork: true, run the following command
kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.spec.hostNetwork == true) | "\(.metadata.namespace)/\(.metadata.name)"'
Alternatively, to exclude the kube-system namespace, use this command:
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.metadata.namespace != "kube-system" and .spec.hostNetwork == true) | {pod: .metadata.name, namespace: .metadata.namespace, container: .spec.containers[].name}'Review the output to ensure no unauthorized pods are using the host network namespace.
Implementation Plan
Using AWS Console:
Add Pod Security Admission (PSA) policies to restrict the admission of hostNetwork containers for namespaces with user workloads.
Label the namespaces to enforce restrictions on hostNetwork containers.
If necessary, create separate policies that allow containers requiring hostNetwork to run with proper access control. Ensure that only necessary service accounts or users are granted this capability.
Using AWS CLI:
Label namespaces with the restricted policy to prevent the creation of hostNetwork containers:
kubectl label --overwrite ns NAMESPACE podsecurity.kubernetes.io/enforce=restricted
Optionally, label all namespaces to enforce the restricted policy:
kubectl label --overwrite ns --all podsecurity.kubernetes.io/enforce=restricted
Ensure that only specific service accounts or users are granted the ability to run containers with hostNetwork: true.
Backout Plan
Using AWS Console:
If the new policy causes issues, remove the enforced policy by resetting the namespace labels:
kubectl label --overwrite ns NAMESPACE podsecurity.kubernetes.io/enforce=""
If containers must use hostNetwork, restore the previous settings for the affected namespaces or workloads that need this capability.
Using AWS CLI:
To revert the policy, remove the enforced label for namespaces:
kubectl label --overwrite ns NAMESPACE podsecurity.kubernetes.io/enforce=""
Allow hostNetwork containers only where necessary and restore the previous configurations for any critical workloads.