The dockerfile for a container image defines the ports which are opened by default on a container instance. The list of ports are relevant to the application you are running within the container and should only be open if they are needed.
Recommended Mitigation
You should not pass the --net=host option when starting any container.
Workload misconfigurations
