☑️ Prevent containers from insecurely exposing workload

Workloads listen on a private IP address and receive network traffic from the rest of the network by default. To be reachable outside of the cluster, you must explicitly add an ingress controller or a load balancer service, then route traffic to the workload. hostPort is a setting used to bind the private IP to the underlying IP.

With the hostPort defined, the workloads become exposed as the node, but without the firewall rules and access control attached to the host.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: medium (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_KEY_HOSTPORT

This rule will fail

If the hostPort key is set:

kind: Pod
spec:
  containers:
  - name: myContainer
    - hostPort: 8080

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from insecurely exposing workload [1 occurrence]
💡 Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload

How to fix this failure

Refrain from using the hostPort key (use NodePort or ClusterIP instead).

kind: Service
spec:
  type: NodePort

Kubernetes - pod security standards

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more