Minimize Admission of Containers Sharing Host Network Namespace (CIS 5.2.5)

​

Impact & Risk Analysis

• Severity: High
• CIS Benchmark: CIS 5.2.5
• Impact: Traffic Sniffing & Policy Bypass. A container running in the host’s network namespace (hostNetwork: true) bypasses the Kubernetes network overlay. It can:
  1. Sniff Traffic: See all network traffic entering and leaving the node.
  2. Access Localhost: Connect to services listening on 127.0.0.1 on the host (e.g., the Kubelet API, unauthenticated database ports).
  3. Bypass Policies: Ignore NetworkPolicies that restrict pod-to-pod communication.

​

Common Misconfiguration

​

Vulnerable Example

# Vulnerable Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: promiscuous-pod
spec:
  # VULNERABLE: Container shares the host Network namespace
  hostNetwork: true
  containers:
  - name: app
    image: nginx

​

Secure Example

# Secure Pod Spec
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  # SECURE: hostNetwork is not defined (defaults to false)
  # The container gets its own IP address within the pod network overlay
  containers:
  - name: app
    image: nginx

​

Audit Procedure

kubectl get pods -A -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.spec.hostNetwork}\n{end}'

• Result: The output will list the pod name followed by its hostNetwork setting.
• Fail: If you see true for any pod that is not a known system component (like kube-proxy, calico-node, or an Ingress Controller).

​

Remediation

# Enforce the baseline policy on the 'default' namespace
kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=baseline