Access to host ports
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
The configuration allows Kubernetes pods to bind container ports directly to host machine ports using the ‘hostPort’ setting. This practice bypasses network isolation between pods and the host, violating pod security standards.
Impact#
Exposing host ports can enable attackers to access or interfere with services on the host, escalate privileges, or disrupt network traffic, increasing the risk of lateral movement and compromise of the entire cluster or underlying infrastructure.
Resolution#
Do not set spec.containers[].ports[].hostPort and spec.initContainers[].ports[].hostPort.