Containers should not use the host network namespace

Severity	Exploitability	Providers	Categories
HIGH	HIGH	Kubernetes	PERMISSION

Description

Network namespaces allow containers to operate in smaller, isolated networks. Containers placed in the host network namespace lose all the security benefits of isolation.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

In case of a compromised container, attackers will have access to information about the host's network, leading to a potential privilege escalation.

Remediation guidelines

Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostNetwork' to 'false'.

References

Kubernetes pod security standards
Diving into host network exploits

Containers should not use the host network namespace

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Containers should not use the host network namespace

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References