Kubernetes pod with host network created
Description
AlphaSOC detected a Kubernetes pod created with the hostNetwork setting
enabled. This configuration allows the pod to bypass container network isolation
and access the host node's network namespace directly, granting access to
host-level network resources and interfaces that are normally isolated from
containerized workloads.
Impact
A pod with hostNetwork enabled can monitor network traffic on the host node,
access local network services, and potentially bypass network policies. This
configuration may allow adversaries to conduct network reconnaissance, intercept
traffic, access restricted services, and potentially pivot to other containers
or hosts within the cluster.
Severity
| Severity | Condition |
|---|---|
Informational | Kubernetes pod with host network created |
Investigation and Remediation
Review the pod specifications to confirm that hostNetwork access is required for the pod's intended functionality. Identify which user or service account created the pod and verify proper authorization. If the pod was created without proper justification, remove it and review the creator's permissions. Audit other pods for similar configurations. Implement admission controller policies to restrict hostNetwork usage to authorized workloads only.