Lateral movement

Controller creating pods with hostNetwork enabled

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

hostNetwork when set to true allows the pod to use the network namespace and network resources of the node. In this case, the pod can access loopback devices, listen to addresses, and monitor the traffic of other pods on the node. Controller {K8sController} was found configured with settings that allows creating a pod that can use network namespace and network resources of the node. The pod security attributes are responsible for limiting the potential attack vector beyond the pod-level context. An adversary can use these misconfiguration to compromise the cluster.
  • Recommended Mitigation

    Consider to disable the following attributes: HostNetwork