For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace.md. A documentation index is available at /llms.txt.

PSP allows containers to share the host network namespace

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-kubernetes-psp-allows-containers-to-share-the-host-network-namespace

Cloud Provider: Kubernetes

Platform: Terraform

Severity: High

Category: Insecure Configurations

Learn More

Description

Checks whether kubernetes_pod_security_policy resources allow containers to share the host network namespace. The rule identifies resources where spec.hostNetwork is set to true. Allowing hostNetwork exposes the node’s network stack to pods, increasing attack surface and risking port collisions and privilege escalation. spec.hostNetwork should be set to false or left undefined to ensure pods use isolated network namespaces.

Compliant Code Examples

resource "kubernetes_pod_security_policy" "example" {
  metadata {
    name = "terraform-example"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false
    host_network               = false

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
      rule = "MustRunAsNonRoot"
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}

Non-Compliant Code Examples

resource "kubernetes_pod_security_policy" "example" {
  metadata {
    name = "terraform-example"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false
    host_network               = true

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
      rule = "MustRunAsNonRoot"
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}