Add exception: Usage of host networking and ports should be restricted [Medium]

[emirgens]

Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.

Component

• [ ] kube-prometheus-stack-prometheus-node-exporter

Remediation

1. Ensure the following are all configured in the security policy parameters: allow host network usage, and min and max host ports.
2. From the Unhealthy resources tab, select the cluster. Defender for Cloud lists the pods running containers with host networking violating the configured list.
3. Validate the host networking using the hostNetwork and hostPort attributes (when applicable) of the container's spec.
4. After making your changes, redeploy the pod with the updated spec.

Alt. 1 - Update the policy to add exception for node-exporter (request to Solum) Alt. 2 - Install node-exporter in kube-system namespace