The Kubernetes cluster must use non-privileged host ports for user pods.
An XCCDF Rule
Description
Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.
- ID
- SV-242414r960966_rule
- Version
- CNTR-K8-000960
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
For any of the pods that are using host-privileged ports, reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports.