Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Minimize Admission of Containers Sharing the Host Network Namespace

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that containers are prohibited from being admitted if they have "hostNetwork" set to true. The "hostNetwork" flag should be restricted because it allows containers to share the host operating system's network namespace. When a container uses the host network namespace, i.e., **hostNetwork: true**, it essentially bypasses the standard network isolation provided by Kubernetes and the container runtime.

Security

A container running in the host's network namespace can access the local loopback device and network traffic to and from other Pods. Therefore, you must define at least one admission control policy that prohibits containers from sharing the host network namespace.

Audit

To determine if the containers are permitted to operate with the "hostNetwork" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the following command to list the names of all Pods across all namespaces and filter the command output for containers with "hostNetwork" flag set to true:

    kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.spec.hostNetwork == true) | "\(.metadata.namespace)/\(.metadata.name)"'

  10. The command output should return the requested information:

    dev/proxymux-client-abc123
dev/monitoring-agent-abc
dev/canal-abcd1234
dev/kube-proxy-123abc

    If the command output returns one or more results, it indicates that Pods are running within the selected OKE cluster that violate the security restriction against host network namespace sharing (i.e., containers are permitted to run with hostNetwork: true).

Remediation / Resolution

To ensure that containers are not permitted to run with the "hostNetwork" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the kubectl get namespaces command to identify your Kubernetes user-workload namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  10. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your implementation:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
dev                  Active   16d
staging              Active   16d
prod                 Active   16d

  11. The Baseline and Restricted Pod Security Standard (PSS) profiles, when enforced at the namespace level, disallow the use of hostNetwork: true. To block Pods using host networking, run the kubectl label command for each Kubernetes user-workload namespace where enforcement is desired. This command applies the appropriate security policy. By using a label such as pod-security.kubernetes.io/enforce=baseline, you instruct the Kubernetes API server that any new Pod in that namespace must comply with the Baseline security policy. Once this enforcement label is applied, the API server will reject any Pod creation request in that namespace if a container's security context explicitly sets hostNetwork: true. Replace \<user-workload-namespace\> with the name of your own namespace:

    kubectl label namespace <user-workload-namespace> pod-security.kubernetes.io/enforce=baseline

  12. The command output should return the name of the labeled user-workload-namespace:

    namespace/<user-workload-namespace> labeled

References

Publication date Dec 11, 2025

Related OCI-OKE rules