☑️ Prevent containers from sharing the host’s network namespace

When a container is allowed to share its host's network namespace, it can access local network listeners and leverage it to probe the host's local network.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE

This rule will fail

If hostNetwork is set to true

spec:
  hostNetwork: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from sharing the host’s network namespace [1 occurrence]
💡 Incorrect value for key `hostNetwork` - running on the host’s network namespace can allow a compromised container to sniff network traffic

How to fix this failure

Set the hostNetwork to false or remove it completely

spec:
  hostNetwork: false

KubeSec - hostNetwork
Kubernetes docs - host namespaces

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more