Terraform Host Network Enabled
Description
Identifies Kubernetes configurations in Terraform that enable host network mode for pods. When host network is enabled, the pod can use the host's network namespace, which bypasses network isolation and could allow the pod to sniff network traffic or access sensitive ports on the host.
Detection Strategy
• Examine Terraform configuration files that define Kubernetes resources like Pod, Deployment, DaemonSet, or StatefulSet
• Look for 'spec' block configurations within these resources
• Check if 'host_network' attribute is set to true in the spec configuration
• Report a vulnerability if host network mode is enabled since it grants unrestricted network access to the host
Vulnerable code example
resource "kubernetes_cron_job_v1" "demo" {
metadata {
name = "demo-job"
}
spec {
schedule = "*/5 * * * *"
job_template {
spec {...✅ Secure code example
resource "kubernetes_cron_job_v1" "demo" {
metadata {
name = "demo-job"
}
spec {
schedule = "*/5 * * * *"
job_template {
spec {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.