HostPath/Privileged/HostPID/HostNetwork bans

Jan 1, 0001

Definition

HostPath, Privileged, HostPID, and HostNetwork are Kubernetes settings that, if misconfigured, can lead to security vulnerabilities. HostPath allows a container to access the host’s file system, Privileged grants a container elevated permissions, HostPID allows containers to share the host’s process ID namespace, and HostNetwork enables containers to use the host’s network stack. Banning or restricting these settings is crucial to prevent unauthorized access and privilege escalation within a Kubernetes cluster.

Secure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: nginx:latest
    securityContext:
      privileged: false
      allowPrivilegeEscalation: false
  hostNetwork: false
  hostPID: false
  volumes:
  - name: secure-volume
    emptyDir: {}

Insecure Settings Example

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: nginx:latest
    securityContext:
      privileged: true
  hostNetwork: true
  hostPID: true
  volumes:
  - name: insecure-volume
    hostPath:
      path: /var/log

HostPath/Privileged/HostPID/HostNetwork bans

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter