Update k8s-best-practices-cnf-security.adoc

mwlinca · web-flow · commit e2bdb94960e8 · 2025-07-17T00:04:11.000-04:00
diff --git a/modules/k8s-best-practices-cnf-security.adoc b/modules/k8s-best-practices-cnf-security.adoc
@@ -74,3 +74,18 @@ See test cases link:https://github.com/test-network-function/cnf-certification-t
 
 **Impacts and Risks of Non-Compliance:** Modified base images can introduce security vulnerabilities, create inconsistent behavior, and violate immutable infrastructure principles.
 ====
+
+[id="k8s-best-practices-avoid-the-host-network-namespace"]
+= Avoid the host network namespace
+
+Application pods must avoid using `hostNetwork`. Applications may not use the host network, including `nodePort` for network communication. Any networking needs beyond the functions provided by the pod network and ingress/egress proxy must be serviced via a MULTUS connected interface.
+
+.Workload requirement
+[IMPORTANT]
+====
+Applications may not use `NodePorts` or the `hostNetwork`.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#access-control-service-type[access-control-service-type]
+
+**Impacts and Risks of Non-Compliance:** NodePort services expose applications directly on host ports, creating security risks and potential port conflicts with host services.
+====
