漏洞描述
Checks Kubernetes Deployments to ensure they are not configured to use host ports, which can expose the host to potential security risks.
k8s-host-ports-check: Host ports should not be used
PoC代码[已公开]
id: k8s-host-ports-check
info:
name: Host ports should not be used
author: princechaddha
severity: medium
description: Checks Kubernetes Deployments to ensure they are not configured to use host ports, which can expose the host to potential security risks.
impact: |
Using host ports can compromise the isolation between the host and the containers, increasing the risk of unauthorized access to host resources. This can lead to security breaches.
remediation: |
Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications.
reference:
- https://kubernetes.io/docs/concepts/services-networking/service/
tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
flow: |
code(1);
for (let deployment of template.items) {
set("deployment", deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {name: .metadata.name, namespace: .metadata.namespace, containers: .spec.template.spec.containers}'
javascript:
- code: |
let deploymentData = JSON.parse(template.deployment);
deploymentData.containers.forEach(container => {
if (container.ports && container.ports.some(port => port.hostPort)) {
let result = (`Deployment '${deploymentData.name}' in namespace '${deploymentData.namespace}' uses host ports.`);
Export(result);
}
});
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402202c71edff4b5b9cd6cef6f07cbd4420a429265debb788a378c9a715ec34fe32aa02205dcde3cc5ebb84dfe9be45554c68e086661ec9fb7f1de7a3e01bea7dfc904922:922c64590222798bb761d5b6d8e72950