Going through Kubernetes pod security standards, it'd be important to have an auditor to catch allowed hostPorts. Could this be added to the hostns auditor?
HostPorts should be disallowed, or at minimum restricted to a known list.
Restricted Fields
- spec.containers[*].ports[*].hostPort
- spec.initContainers[*].ports[*].hostPort
- spec.ephemeralContainers[*].ports[*].hostPort
Allowed Values
- Undefined/nil
- Known list
- 0
ISSUE TYPE
[ ] Bug Report
[x] Feature Idea
SUMMARY
follow best practices and keep kubeaudit scans/audits up to date
FEATURE IDEA
[ ] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1
Proposal:
1This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.
Going through Kubernetes pod security standards, it'd be important to have an auditor to catch allowed hostPorts. Could this be added to the hostns auditor?
ISSUE TYPE
SUMMARY
follow best practices and keep kubeaudit scans/audits up to date
FEATURE IDEA
Proposal:
1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.