Containers which use
host networking bypass controls such as Kubernetes network policy potentially allowing unauthorized access to systems inside or outside of the cluster.
Host network containers can allow for unauthorized connections to other applications and servers.
Host networking bypasses any controls at the Kubernetes level on traffic to and from the container. It means users with access to that container can contact services on the localhost interface of the node and also access cloud metadata services.
Identify affected resources
Review the output of
kubectl get pods --all-namespaces -o json | jq -r '.items | select(.spec.hostNetwork==true) | .metadata.name'
Remediate vulnerable resources
Review the list of pods which have this access and, where possible, remove it. Some workloads such as
kube-proxy and CNI tools like Calico and Cilium do require host networking to operate.