DocsICP FilingConsole
官方文档
首页

Configure a pod to use host network mode (hostNetwork)

更新时间:
复制 MD 格式
产品详情
我的收藏

Enable hostNetwork to bypass pod network isolation for node-level monitoring or direct network access.

Important

In production, only enable host network mode for pods that require it. The pod shares the node's network namespace, so a compromised pod gives attackers direct access to the node's network services. These pods bypass network policy restrictions and are governed by the node's security group rules.

Configuration requirements

Note

Host network mode can only be set when creating a workload. You cannot switch existing pods to host network mode.

To enable host network mode,configure the following fields in the pod spec:

  • hostNetwork: true– Shares the node's network namespace.

  • dnsPolicy: ClusterFirstWithHostNet– Enables cluster-internal DNS resolution in host network mode.

  • containerPort– Must match the application's listening port.

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  hostNetwork: true # Enable the host network mode.
  dnsPolicy: ClusterFirstWithHostNet # Ensure the pod can resolve domain names within the cluster.
  containers:
  - ...
    ports:
      - containerPort: 12000 # The port the container's process listens on. This value must match your application's configuration. The port 12000 is an example.
  ...

Step-by-step example

This example deploys a DaemonSet in host network mode for node-level monitoring with node-exporter.

  1. Create a node-exporter.yaml file with the following manifest. Replace REGION_ID with your cluster's region ID (such as cn-hangzhou).

    apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter-demo
  labels:
    app: node-exporter-demo
spec:
  selector:
    matchLabels:
      app: node-exporter-demo
  template:
    metadata:
      labels:
        app: node-exporter-demo
    spec:
      hostNetwork: true # Enable the host network mode.
      hostPID: true 
      dnsPolicy: ClusterFirstWithHostNet # Ensure the pod can resolve domain names within the cluster.
      containers:
      - name: node-exporter-demo
        image: registry-REGION_ID-vpc.ack.aliyuncs.com/acs/node-exporter:v0.17.0-slim # Replace REGION_ID with your cluster's region ID.
        args:
        - '--path.procfs=/host/proc'
        - '--path.sysfs=/host/sys'
        - '--web.listen-address=0.0.0.0:20000'
        ports:
        - name: metrics
          containerPort: 20000
        volumeMounts:
        - name: proc
          mountPath: /host/proc
          readOnly: true
        - name: sys
          mountPath: /host/sys
          readOnly: true
        resources:
          requests:
            memory: "64Mi"
            cpu: "100m"
          limits:
            memory: "128Mi"
            cpu: "200m"
      volumes:
      - name: proc
        hostPath:
          path: /proc
      - name: sys
        hostPath:
          path: /sys

  2. Apply the manifest to create the DaemonSet.

    kubectl apply -f node-exporter.yaml

    Expected output:

    daemonset/node-exporter created

  3. Check pod status and IP addresses. Pod IPs should match node IPs.

    kubectl get pod -o wide

    Expected output:

    NAME                       READY   STATUS    RESTARTS   AGE     IP               NODE                      NOMINATED NODE   READINESS GATES
node-exporter-demo-49v**   1/1     Running   0          15h     10.***.8.109     xx-xxxx.10.***.8.109      none           none
node-exporter-demo-jdx**   1/1     Running   0          15h     10.***.203.146   xx-xxxx.10.***.203.146    none           none
node-exporter-demo-krg**   1/1     Running   0          15h     10.***.105.151   xx-xxxx.10.***.105.151    none           none

  4. Log on to a node and verify the service is accessible on the host port. The pod listens on the node's port 20000. Access the pod's endpoint:

    curl localhost:20000/metrics

    If the command returns node metrics, the configuration is correct.

FAQ

Why is my pod stuck in the Pending state?

Common causes include:

  • Port conflict: The specified port is already in use on the node, preventing the container from binding. Avoid these reserved ports:

    • Core cluster components: 6443, 9890, 9099, 10250, 10256, and 30000 to 32767.

    • Standard services: 22, 53, 80, and 443.

    • Custom ports used by other workloads on the node.

  • Pod Security Admission (PSA): In clusters with strict security policies, host networking is blocked by default. Label the namespace to allow privileged pods:

    Important

    This label grants pods in the namespace full privileged permissions. Use with caution.

    apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    For pod-security.kubernetes.io details, see Pod Security Admission.

  • Container security policies: Ensure your policy allows host network use and the declared ports are within the allowed range.

Why can't my pod resolve cluster domain names?

This happens when dnsPolicy is incorrect. Set spec.dnsPolicy to ClusterFirstWithHostNet. With ClusterFirst, the pod uses the host node's /etc/resolv.conf, which lacks cluster-internal DNS settings. See Step-by-step example.

Previous:Examples of container networkingNext:Attach an independent EIP to a pod