Ensure containers do not share the host network namespace

Error: Containers share the host network namespace

Bridgecrew Policy ID: BC_K8S_18
Checkov Check ID: CKV_K8S_19
Severity: MEDIUM

Containers share the host network namespace

Description

When using the host network mode for a container, that container’s network stack is not isolated from the Docker host, so the container shares the host’s networking namespace and does not get its own IP-address allocation.

To limit an attacker's options to escalate privileges from within a container, we recommend you to configure containers to not share the host network namespace.

Fix - Buildtime

Kubernetes

Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
Argument: hostNetwork (Optional)
If true, the Pod uses the host's network namespace. Default to false.

apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
+ hostNetwork: false # or do not include hostNetwork

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
+          hostNetwork: false # or do not include hostNetwork

apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
  	spec:
+    	hostNetwork: false # or do not include hostNetwork

Updated 4 months ago