About
Containers which use host networking bypass controls such as Kubernetes network policy potentially allowing unauthorized access to systems inside or outside of the cluster.
Understanding Impact
Business Impact
Host network containers can allow for unauthorized connections to other applications and servers.
Technical Impact
Host networking bypasses any controls at the Kubernetes level on traffic to and from the container. It means users with access to that container can contact services on the localhost interface of the node and also access cloud metadata services.
Identify affected resources
Review the output of kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.spec.hostNetwork==true) | .metadata.name'
Remediate vulnerable resources
Review the list of pods which have this access and, where possible, remove it. Some workloads such as kube-proxy and CNI tools like Calico and Cilium do require host networking to operate.