HostPorts should not be enabled on containers.
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
name: spotter-workload-010
labels:
severity: "critical"
category: "workload"
annotations:
rules.spotter.dev/title: "HostPorts Enabled on Containers"
rules.spotter.dev/version: "1.0.0"
rules.spotter.dev/cwe: "CWE-732"
rules.spotter.dev/description: "HostPorts should not be enabled on containers."
spec:
match:
resources:
kubernetes:
apiGroups:
- ""
- "apps"
versions:
- "v1"
kinds:
- Pod
- Deployment
- StatefulSet
- DaemonSet
namespaces:
include: ["*"]
exclude: ["kube-system", "kube-public"]
labels:
exclude:
rules.spotter.dev/ignore: ["true"]
cel: |
(object.kind == 'Pod' && (
(has(object.spec.containers) && object.spec.containers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort)))) ||
(has(object.spec.initContainers) && object.spec.initContainers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort)))) ||
(has(object.spec.ephemeralContainers) && object.spec.ephemeralContainers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort))))
)) || (object.kind != 'Pod' && (
(has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort)))) ||
(has(object.spec.template.spec.initContainers) && object.spec.template.spec.initContainers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort)))) ||
(has(object.spec.template.spec.ephemeralContainers) && object.spec.template.spec.ephemeralContainers.exists(c, has(c.ports) && c.ports.exists(p, has(p.hostPort))))
))
remediation:
manual: "Never use hostPath volume mounts. Instead, use a read-only persistent volume claim (PVC) or a config map or secret."
references:
- title: "Volumes - hostPath"
url: "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"