Disallow Host Ports

Description

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This control recommends the hostPort field is unset or set to 0.

Restricted Fields

  • spec.containers[*].ports[*].hostPort
  • spec.initContainers[*].ports[*].hostPort
  • spec.ephemeralContainers[*].ports[*].hostPort

Allowed Values

  • Undefined/nil
  • Known list
  • 0

Risks

When hostPort field is not unset or set to 0, we will encounter risks such as:

  • Network Snooping: When a container uses a hostPort, any traffic sent to the host machine on that port is forwarded to the container. An attacker with access to the host machine can potentially monitor or intercept this traffic more easily.

  • Scheduling Constraints: Don’t specify a hostPort for a Pod unless it is absolutely necessary. When you bind a Pod to a hostPort, it limits the number of places the Pod can be scheduled, because each <hostIP, hostPort, protocol> combination must be unique. If you don’t specify the hostIP and protocol explicitly, Kubernetes will use 0.0.0.0 as the default hostIP and TCP as the default protocol. If you only need access to the port for debugging purposes, you can use the apiserver proxy or kubectl port-forward. If you explicitly need to expose a Pod’s port on the node, consider using a NodePort Service before resorting to hostPort.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-host-ports.yaml

References

Configuration Settings

Use of host ports is disallowed. In order to be conformant with this security controle, for the resources that include the fields spec.containers[*].ports[*].hostPort, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort must either be unset or set to 0.

=(ephemeralContainers):
  - =(ports):
    - =(hostPort): 0
=(initContainers):
  - =(ports):
    - =(hostPort): 0
containers:
  - =(ports):
    - =(hostPort): 0

Resource Example

Below is a Deployment resource example where hostPort field is not set at all. If present, it should be set to 0.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
      - name: initcontainer02
        image: dummyimagename
        ports:
        - name: web-insecure
          containerPort: 8080
      containers:
      - name: container01
        image: dummyimagename
        ports:
        - name: web-insecure
          containerPort: 8080