turbot/steampipe-mod-kubernetes-compliance

Benchmark: Containers should not run with host network access

Description

Pod host network controls whether the Pod may use the node network namespace. Doing so gives the Pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other Pods on the same node.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Containers should not run with host network access.

Run this benchmark in your terminal:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_host_network_access_disabled

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_host_network_access_disabled --share

Controls

Tags