How does EchelonGraph detect CIS Kubernetes 5.2.4 violations?

EchelonGraph automatically detects CIS Kubernetes 5.2.4 violations using scanner rule K8S-PS-004. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

☸️CIS Kubernetes 5.2.4Rule: K8S-PS-004high

hostNetwork minimised

Description

Pods should not use hostNetwork. The watcher inspects PodSpec.HostNetwork at the typed-handler level.

⚠️ Risk Impact

hostNetwork pods bypass NetworkPolicy and can listen on host ports — including ports used by control-plane components, enabling man-in-the-middle of in-cluster traffic.

🔍 How EchelonGraph Detects This

K8S-PS-004Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Remove hostNetwork: true from PodSpecs; use Service of type NodePort or LoadBalancer for cluster-host access.

🔗 Cross-Framework References

NIST-SC-7

Automate CIS Kubernetes 5.2.4 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →