Enforces that no container is able to use the ports of a node it is running on.
Note that this policy is part of the following security standards:
k8s/baseline
: Minimally restrictive policy while preventing known privilege escalations.k8s/restricted
: Heavily restricted policy, following current Pod hardening best practices.nist/SP.800-190
: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A16bsi/kubernetes
: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A7apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- hostPort: 8080
securitytower.io/policy.exclusion.preventhostports
as on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.preventhostports: |- This container must use the host ports for following reasons. ...