Containers should not use the host network namespace
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Kubernetes | PERMISSION |
Description
Network namespaces allow containers to operate in smaller, isolated networks. Containers placed in the host network namespace lose all the security benefits of isolation.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
In case of a compromised container, attackers will have access to information about the host's network, leading to a potential privilege escalation.
Remediation guidelines
Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostNetwork' to 'false'.