Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces.
Refer to the Nirmata curated policies - disallow-host-namespaces.yaml
The below configuration indicates that if the deployed resource contains one of
hostNetwork in their
spec field, then the only acceptable value is
false to be conformant with this security control. If those fields are not present to begin with, then the resource is conformant by default.
=(hostPID): "false" =(hostIPC): "false" =(hostNetwork): "false"
Below is a
Deployment resource example where all the three fields (
hostNetwork) are set to
false. Even if one or two of them are present, they should be set to
apiVersion: apps/v1 kind: Deployment metadata: name: gooddeployment spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: hostPID: false hostIPC: false hostNetwork: false containers: - name: container01 image: dummyimagename