Profile Applicability:
Level 1
Description:
Sharing the host’s network namespace grants containers access to the host’s networking stack, which may introduce security risks. This check ensures that containers which do not require direct access to the host network are restricted from sharing the host's network namespace.
Rationale:
Allowing containers to share the host network namespace can expose the host system and other containers to risks, such as unauthorized network access or information leakage. By minimizing the use of the host network namespace, you reduce the attack surface and prevent unnecessary exposure of networking resources. Containers should use isolated network namespaces unless specific use cases require them to share the host network.
Impact:
Pros:
Reduces the attack surface by preventing unnecessary network access to the host.
Improves security by isolating containers from the host’s networking stack.
Cons:
Some workloads, such as network monitoring or performance testing tools, may require the use of the host network namespace to function properly.
Requires configuration to ensure that only trusted workloads are allowed to share the host’s network namespace.
Default Value:
By default, containers are not configured to share the host network namespace unless explicitly specified in the pod or container configuration.
Pre-requisites:
Ensure that PodSecurityPolicies (PSPs) or another security policy mechanism is in place to prevent unauthorized containers from sharing the host network namespace.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications for containers that may be configured to use the host network namespace.
Ensure that hostNetwork is not set to true for containers unless absolutely required by the workload.
Using Azure CLI:
Use the following command to check for containers using the host network namespace:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostNetwork}'Ensure that no containers are using the host network namespace unless explicitly needed.
Check if PodSecurityPolicy or another admission control policy is in place to prevent containers from using the host network namespace.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and access the Pod specifications.
Review and update the Pod security context to prevent containers from using the host network namespace unless required. For example:
securityContext: hostNetwork: false
Apply a PodSecurityPolicy (or equivalent policy) to ensure that containers cannot use the host network unless explicitly allowed. A sample PodSecurityPolicy might look like:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostnetwork spec: hostNetwork: false
Enforce the PodSecurityPolicy by applying it to the Kubernetes cluster and configuring the necessary RBAC roles to control who can create pods that use the host network.
Using Azure CLI:
Modify the Pod specification YAML to prevent the use of the host network namespace:
hostNetwork: false
Apply the updated Pod configuration:
kubectl apply -f pod-spec.yaml
Create a PodSecurityPolicy to enforce restrictions on the use of hostNetwork:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostnetwork spec: hostNetwork: false
Apply the PodSecurityPolicy:
kubectl apply -f pod-security-policy.yaml
Backout Plan:
Using Azure Console:
If restricting access to the host network namespace causes issues, revert the changes in the Azure portal by allowing containers to use the host network namespace for specific workloads.
Using Azure CLI:
Revert the Pod specification to allow containers to use the host network by modifying the YAML configuration and setting hostNetwork: true where necessary.
Apply the updated configuration:
kubectl apply -f pod-spec.yaml
Revert any PodSecurityPolicy changes by deleting the policy:
kubectl delete podsecuritypolicy restrict-hostnetwork
References:
Kubernetes Host Network Documentation
Kubernetes PodSecurityPolicy Documentation