Profile Applicability:
Level 1
Description:
In Kubernetes, containers can use HostPorts to bind to a port on the node's network interface, allowing containers to be accessible from outside the Kubernetes cluster. This check ensures that HostPorts are minimized in your Kubernetes deployment configurations, reducing the risk of exposing unnecessary services running inside the cluster to external access.
Rationale:
Using HostPorts exposes containerized services to external traffic, which increases the attack surface and the risk of unauthorized access. By restricting the use of HostPorts, you ensure that containers only bind to the pod network, which is isolated from the node's external interfaces. This improves security by preventing unnecessary exposure of services and ensuring that only required services are accessible.
Impact:
Pros:
Reduces the attack surface by limiting access to services inside the Kubernetes cluster.
Ensures that containers are isolated from direct external access unless explicitly required.
Cons:
Some applications or services may require HostPorts to be exposed for external traffic.
Requires careful management to ensure that legitimate use cases for HostPorts are not disrupted.
Default Value:
By default, containers do not use HostPorts unless explicitly configured in the pod specifications.
Pre-requisites:
Ensure that your workloads and services are designed to use ClusterIP or LoadBalancer services rather than exposing HostPorts. Also, ensure that Kubernetes policies are in place to restrict the use of HostPorts unless necessary.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications and verify that HostPorts are not defined in the containers unless required.
Check the Networking settings to ensure that traffic is routed through appropriate service types (e.g., ClusterIP or LoadBalancer) rather than HostPorts.
Using Azure CLI:
Use the following command to check for the usage of HostPorts in the Kubernetes deployment configurations:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].ports[?(@.hostPort)]}'Ensure that no containers are using HostPorts unless explicitly required for the application.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to Azure Kubernetes Service (AKS) and review the Pod configurations.
Modify the Pod specifications to remove HostPorts from containers, replacing them with Kubernetes services such as ClusterIP, NodePort, or LoadBalancer.
For services that need external access, use NodePort or LoadBalancer services rather than HostPorts.
Apply the updated configurations to ensure that the workload uses the appropriate service type.
Using Azure CLI:
Edit the Pod configuration YAML file to remove any usage of HostPorts and define appropriate Kubernetes services for external access (if required):
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image
ports:
- containerPort: 8080 # No hostPort defined hereApply the updated configuration to the cluster:
kubectl apply -f pod-spec.yaml
If the service needs external access, create a LoadBalancer or NodePort service:
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: LoadBalancerApply the service configuration:
kubectl apply -f service.yaml
Backout Plan:
Using Azure Console:
If restricting HostPorts causes issues with legitimate traffic, revert the configuration by re-adding HostPorts to the affected pods in the Azure portal.
Using Azure CLI:
Revert the Pod configuration to expose HostPorts by editing the YAML file and applying the changes:
ports:
- containerPort: 8080
hostPort: 8080
Apply the reverted configuration:
kubectl apply -f pod-spec.yaml