Disallow Host Ports
Description
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This control recommends the hostPort field is unset or set to 0.
Restricted Fields
spec.containers[*].ports[*].hostPortspec.initContainers[*].ports[*].hostPortspec.ephemeralContainers[*].ports[*].hostPort
Allowed Values
- Undefined/nil
- Known list
- 0
Kyverno Policy
Refer to the Nirmata curated policies - disallow-host-ports.yaml
References
Configuration Settings
Use of host ports is disallowed. In order to be conformant with this security controle, for the resources that include the fields spec.containers[*].ports[*].hostPort, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort must either be unset or set to 0.
=(ephemeralContainers):
- =(ports):
- =(hostPort): 0
=(initContainers):
- =(ports):
- =(hostPort): 0
containers:
- =(ports):
- =(hostPort): 0
Resource Example
Below is a Deployment resource example where hostPort field is not set at all. If present, it should be set to 0.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
- name: initcontainer02
image: dummyimagename
ports:
- name: web-insecure
containerPort: 8080
containers:
- name: container01
image: dummyimagename
ports:
- name: web-insecure
containerPort: 8080