Skip to content

The Kubernetes cluster must use non-privileged host ports for user pods.

An XCCDF Rule

Description

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

ID
SV-242414r960966_rule
Version
CNTR-K8-000960
Severity
Medium
References
Updated

Remediation Templates

A Manual Procedure

For any of the pods that are using host-privileged ports, reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports.