Using host operating system namespaces can lead to compromise of the host system.
Opening network services of the local host system to the
container creates a new attack surface for attackers.
Host network sharing could provide a significant performance advantage for workloads that require critical network performance. However, the
successful exploitation of this attack vector could have a catastrophic impact on confidentiality within the host.
Ask Yourself Whether
- The host exposes sensitive network services.
- The container’s services performances do not rely on operating system namespaces.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Do not use host operating system namespaces.
Sensitive Code Example
RUN --network=host wget -O /home/sessions http://127.0.0.1:9000/sessions
RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions