Will It Vibe logoWill It Vibe?
K8S-016Medium severity-8 points

hostPort binds a node port

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A hostPort binds the container port directly on the node, bypassing Service abstractions and reducing scheduling flexibility while widening exposure.

Why it matters

A hostPort binds the container port directly onto the node it runs on. That skips the Service layer, so only one pod can use the port per node, scheduling becomes constrained, and the port is reachable on the node address outside normal Service and NetworkPolicy controls. It widens exposure for little benefit in most designs.

How to fix it

Remove hostPort and expose the workload through a Service (ClusterIP for internal, NodePort or LoadBalancer for external). Keep hostPort only for node-level agents that must listen on a fixed node address, and pair those with a NetworkPolicy and a tight securityContext.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks