Add docs for blocking host field using PSA

tssurya · tssurya · commit 5e1715ee00fd · 2025-07-03T13:07:19.000+02:00
Signed-off-by: Surya Seetharaman &lt;suryaseetharaman.9@gmail.com&gt;
diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
@@ -167,6 +167,41 @@ fail validation.
 				</ul>
 			</td>
 		</tr>
+		<tr>
+			<td style="white-space: nowrap">Host Ports</td>
+			<td>
+				<p>HostProbeOrHostLifecycle should be disallowed entirely (recommended) or restricted to a known list</p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.containers[*].livenessProbe.httpGet.host</code></li>
+					<li><code>spec.containers[*].readinessProbe.httpGet.host</code></li>
+					<li><code>spec.containers[*].startupProbe.httpGet.host</code></li>
+					<li><code>spec.containers[*].livenessProbe.tcpSocket.host</code></li>
+					<li><code>spec.containers[*].readinessProbe.tcpSocket.host</code></li>
+					<li><code>spec.containers[*].startupProbe.tcpSocket.host</code></li>
+					<li><code>spec.containers[*].lifecycle.postStart.tcpSocket.host</code> <small>Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility.</small></li>
+					<li><code>spec.containers[*].lifecycle.preStop.tcpSocket.host</code> <small>Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility.</small></li>
+					<li><code>spec.containers[*].lifecycle.postStart.httpGet.host</code></li>
+					<li><code>spec.containers[*].lifecycle.preStop.httpGet.host</code></li>
+					<li><code>spec.initContainers[*].livenessProbe.httpGet.host</code></li>
+					<li><code>spec.initContainers[*].readinessProbe.httpGet.host</code></li>
+					<li><code>spec.initContainers[*].startupProbe.httpGet.host</code></li>
+					<li><code>spec.initContainers[*].livenessProbe.tcpSocket.host</code></li>
+					<li><code>spec.initContainers[*].readinessProbe.tcpSocket.host</code></li>
+					<li><code>spec.initContainers[*].startupProbe.tcpSocket.host</code></li>
+					<li><code>spec.initContainers[*].lifecycle.postStart.tcpSocket.host</code> <small>Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility.</small></li>
+					<li><code>spec.initContainers[*].lifecycle.preStop.tcpSocket.host</code> <small>Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility.</small></li>
+					<li><code>spec.initContainers[*].lifecycle.postStart.httpGet.host</code></li>
+					<li><code>spec.initContainers[*].lifecycle.preStop.httpGet.host</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li>"127.0.0.1"/"::1"</li>
+					<li>Known list (not supported by the built-in <a href="/docs/concepts/security/pod-security-admission/">Pod Security Admission controller</a>)</li>
+					<li><code>0</code></li>
+				</ul>
+			</td>
+		</tr>
 		<tr>
 			<td style="white-space: nowrap">AppArmor</td>
 			<td>
