Benchmark: Containers should not run with host network access
Description
Pod host network controls whether the Pod may use the node network namespace. Doing so gives the Pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other Pods on the same node.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Containers should not run with host network access.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_host_network_access_disabled
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_host_network_access_disabled --share
Controls
- CronJob containers should not run with host network access
- DaemonSet containers should not run with host network access
- Deployment containers should not run with host network access
- Job containers should not run with host network access
- Pod containers should not run with host network access
- Pod Security Policy should prohibit host network access
- ReplicaSet containers should not run with host network access
- ReplicationController containers should not run with host network access
- StatefulSet containers should not run with host network access