Exposing administration services can lead to unauthorized access to containers or escalation of privilege inside of containers.

Administration services like SSH might contain vulnerabilities, hard-coded credentials, or other security issues that increase the attack surface of a container deployment.
Even if the ports of the services do not get forwarded to the host system, by default they are reachable from other containers in the same network. A malicious actor that gets access to one container could use such services to escalate access and privileges.

Ask Yourself Whether

• The container starts an administration service.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

• Do not start SSH, VNC, RDP or similar administration services in containers.

Sensitive Code Example

- name: Podman tasks
  hosts: server
  tasks:
    - name: Start SSH server
      containers.podman.podman_container:
        name: container
        image: lscr.io/linuxserver/openssh-server:version-9.7_p1-r4
        publish:
          - "22:2222" # Sensitive

See

• CWE - CWE-284 - Improper Access Control