diff --git a/README.md b/README.md
index 23fa93ec..dd09b262 100644
--- a/README.md
+++ b/README.md
@@ -123,6 +123,9 @@ The manifest might end up a little too secure for the work it is supposed to do.
 - [Audit Service Accounts](#sat)
 - [Audit network policies](#netpol)
 - [Audit resources](#resources)
+- [Audit AppArmor](#apparmor)
+- [Audit Seccomp](#seccomp)
+- [Audit namespaces](#namespaces)
 
 <a name="all" />
 
@@ -314,6 +317,8 @@ WARN[0000] CPU limit exceeded, it is set to 1 but it must not exceed 500m. Pleas
 WARN[0000] Memory limit exceeded, it is set to 512Mi but it must not exceed 125Mi. Please adjust it!
 ```
 
+<a name="apparmor" />
+
 ## Audit AppArmor
 
 It checks that AppArmor is enabled for all containers by making sure the following annotation exists on the pod.
@@ -340,6 +345,8 @@ ERRO[0000] AppArmor disabled. Annotation=container.apparmor.security.beta.kubern
   Container=myContainer KubeType=pod Name=myPod Namespace=myNamespace Reason=badval
 ```
 
+<a name="seccomp" />
+
 ## Audit Seccomp
 
 It checks that Seccomp is enabled for all containers by making sure one or both of the following annotations exists
@@ -379,6 +386,19 @@ ERRO[0000] Seccomp disabled for pod. Annotation=seccomp.security.alpha.kubernete
   Name=myPod Namespace=myNamespace Reason=unconfined
 ```
 
+<a name="namespaces" />
+
+## Audit namespaces
+
+`kubeaudit` will detect whether `hostNetwork`,`hostIPC` or `hostPID` is either set to `true` in `podSpec` for `Pod` workloads 
+
+```sh
+kubeaudit namespaces
+ERRO[0000] hostNetwork is set to true  in podSpec, please set to false!
+ERRO[0000] hostIPC is set to true  in podSpec, please set to false!
+ERRO[0000] hostPID is set to true  in podSpec, please set to false!
+```
+
 <a name="labels" />
 
 ## Override Labels
@@ -444,6 +464,9 @@ metadata:
 - [container.audit.kubernetes.io/\<container-name\>/allow-read-only-root-filesystem-false](#rootfs_label)
 - [audit.kubernetes.io/\<namespace-name\>/allow-non-default-deny-egress-network-policy](#egress_label)
 - [audit.kubernetes.io/\<namespace-name\>/allow-non-default-deny-ingress-network-policy](#ingress_label)
+- [audit.kubernetes.io/pod/allow-namespace-host-network](#namespacenetwork_label)
+- [audit.kubernetes.io/pod/allow-namespace-host-IPC](#namespaceipc_label)
+- [audit.kubernetes.io/pod/allow-namespace-host-PID](#namespacepid_label)
 
 <a name="allowpe_label"/>
 
@@ -555,6 +578,36 @@ audit.kubernetes.io/default/allow-non-default-deny-egress-network-policy: "Egres
 WARN[0000] Allowed Namespace without a default deny egress NetworkPolicy  KubeType=namespace Name=default Reason="Egress is allowed"
 ```
 
+<a name="namespacenetwork_label"/>
+
+### audit.kubernetes.io/pod/allow-namespace-host-network
+
+```sh
+audit.kubernetes.io/pod/allow-namespace-host-network: "hostNetwork is allowed"
+
+WARN[0000] Allowed setting hostNetwork to true           KubeType=pod Name=Pod Namespace=PodNamespace Reason="hostNetwork is allowed"
+```
+
+<a name="namespaceipc_label"/>
+
+### audit.kubernetes.io/pod/allow-namespace-host-IPC
+
+```sh
+audit.kubernetes.io/pod/allow-namespace-host-IPC: "hostIPC is allowed"
+
+WARN[0000] Allowed setting hostIPC to true               KubeType=pod Name=Pod Namespace=PodNamespace Reason="hostIPC is allowed"
+```
+
+<a name="namespacepid_label"/>
+
+### audit.kubernetes.io/pod/allow-namespace-host-PID
+
+```sh
+audit.kubernetes.io/pod/allow-namespace-host-PID: "hostPID is allowed"
+
+WARN[0000] Allowed setting hostPID to true               KubeType=pod Name=Pod Namespace=PodNamespace Reason="hostPID is allowed"
+```
+
 <a name="contribute" />
 
 ## Drop capabilities list
@@ -617,7 +670,10 @@ spec:
     automount-service-account-token: deny           # Set to `allow` to skip auditing potential vulnerability
     read-only-root-filesystem-false: deny           # Set to `allow` to skip auditing potential vulnerability
     non-default-deny-ingress-network-policy: deny   # Set to `allow` to skip auditing potential vulnerability
-    non-default-deny-egress-network-policy: deny   # Set to `allow` to skip auditing potential vulnerability
+    non-default-deny-egress-network-policy: deny    # Set to `allow` to skip auditing potential vulnerability
+    namespace-host-network: deny                    # Set to `allow` to skip auditing potential vulnerability
+    namespace-host-IPC: deny                        # Set to `allow` to skip auditing potential vulnerability
+    namespace-host-PID: deny                        # Set to `allow` to skip auditing potential vulnerability
 ```
 
 <a name="contribute" />
diff --git a/cmd/all.go b/cmd/all.go
index 4e078c6e..7d2ba71a 100644
--- a/cmd/all.go
+++ b/cmd/all.go
@@ -7,7 +7,7 @@ import (
 var allAuditFunctions = []interface{}{
 	auditAllowPrivilegeEscalation, auditReadOnlyRootFS, auditRunAsNonRoot,
 	auditAutomountServiceAccountToken, auditPrivileged, auditCapabilities,
-	auditLimits, auditImages, auditAppArmor, auditSeccomp, auditNetworkPolicies,
+	auditLimits, auditImages, auditAppArmor, auditSeccomp, auditNetworkPolicies, auditNamespaces,
 }
 
 var auditAllCmd = &cobra.Command{
diff --git a/cmd/autofix_util.go b/cmd/autofix_util.go
index 56a55cb1..3b34d76d 100644
--- a/cmd/autofix_util.go
+++ b/cmd/autofix_util.go
@@ -16,7 +16,7 @@ func getAuditFunctions() []interface{} {
 	return []interface{}{
 		auditAllowPrivilegeEscalation, auditReadOnlyRootFS, auditRunAsNonRoot,
 		auditAutomountServiceAccountToken, auditPrivileged, auditCapabilities,
-		auditAppArmor, auditSeccomp, auditNetworkPolicies,
+		auditAppArmor, auditSeccomp, auditNetworkPolicies, auditNamespaces,
 	}
 }
 
@@ -48,6 +48,8 @@ func fixPotentialSecurityIssue(resource Resource, result Result) Resource {
 			resource = fixSeccomp(resource)
 		case ErrorMissingDefaultDenyIngressNetworkPolicy, ErrorMissingDefaultDenyEgressNetworkPolicy, ErrorMissingDefaultDenyIngressAndEgressNetworkPolicy:
 			resource = fixNetworkPolicy(resource, occurrence)
+		case ErrorNamespaceHostIPCTrue, ErrorNamespaceHostNetworkTrue, ErrorNamespaceHostPIDTrue:
+			resource = fixNamespace(&result, resource)
 		}
 	}
 	return resource
diff --git a/cmd/config.go b/cmd/config.go
index 9d82c1ea..47f3eabe 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -48,29 +48,33 @@ type KubeauditConfigOverrides struct {
 	ReadOnlyRootFilesystemFalse        string `yaml:"read-only-root-filesystem-false"`
 	NonDefaultDenyIngressNetworkPolicy string `yaml:"non-default-deny-ingress-network-policy"`
 	NonDefaultDenyEgressNetworkPolicy  string `yaml:"non-default-deny-egress-network-policy"`
+	HostNetwork                        string `yaml:"namespace-host-network"`
+	HostPID                            string `yaml:"namespace-host-PID"`
+	HostIPC                            string `yaml:"namespace-host-IPC"`
 }
 
 func mapOverridesToStructFields(label string) string {
-	if label == "allow-privilege-escalation" {
+	switch label {
+	case "allow-privilege-escalation":
 		return "PrivilegeEscalation"
-	}
-	if label == "allow-privileged" {
+	case "allow-privileged":
 		return "Privileged"
-	}
-	if label == "allow-run-as-root" {
+	case "allow-run-as-root":
 		return "RunAsRoot"
-	}
-	if label == "allow-automount-service-account-token" {
+	case "allow-automount-service-account-token":
 		return "AutomountServiceAccountToken"
-	}
-	if label == "allow-read-only-root-filesystem-false" {
+	case "allow-read-only-root-filesystem-false":
 		return "ReadOnlyRootFilesystemFalse"
-	}
-	if label == "allow-non-default-deny-egress-network-policy" {
+	case "allow-non-default-deny-egress-network-policy":
 		return "NonDefaultDenyEgressNetworkPolicy"
-	}
-	if label == "allow-non-default-deny-ingress-network-policy" {
+	case "allow-non-default-deny-ingress-network-policy":
 		return "NonDefaultDenyIngressNetworkPolicy"
+	case "allow-namespace-host-network":
+		return "HostNetwork"
+	case "allow-namespace-host-IPC":
+		return "HostIPC"
+	case "allow-namespace-host-PID":
+		return "HostPID"
 	}
 	return ""
 }
diff --git a/cmd/errors.go b/cmd/errors.go
index 87a352cf..b9f6b870 100644
--- a/cmd/errors.go
+++ b/cmd/errors.go
@@ -95,6 +95,18 @@ const (
 	ErrorMissingDefaultDenyIngressNetworkPolicy
 	// ErrorMissingDefaultDenyIngressNetworkPolicyAllowed  occurs when a namespace is missing a default deny ingress NetworkPolicy but it's allowed
 	ErrorMissingDefaultDenyIngressNetworkPolicyAllowed
+	//  ErrorNamespaceHostIPCTrue occurs when a hostIPC is set to true in PodSpec
+	ErrorNamespaceHostIPCTrue
+	//  ErrorNamespaceHostIPCTrueAllowed occurs when a hostIPC is set to true in PodSpec but it's allowed
+	ErrorNamespaceHostIPCTrueAllowed
+	//  ErrorNamespaceHostIPCTrue occurs when a hostNetwork is set to true in PodSpec
+	ErrorNamespaceHostNetworkTrue
+	//  ErrorNamespaceHostNetworkTrueAllowed occurs when a hostNetwork is set to true in PodSpec but it's allowed
+	ErrorNamespaceHostNetworkTrueAllowed
+	//  ErrorNamespaceHostIPCTrue occurs when a hostPID is set to true in PodSpec
+	ErrorNamespaceHostPIDTrue
+	//  ErrorNamespaceHostPIDTrueAllowed occurs when a hostPID is set to true in PodSpec but it's allowed
+	ErrorNamespaceHostPIDTrueAllowed
 	// InfoDefaultDenyNetworkPolicyExists occurs when a namespace has a default deny NetworkPolicy
 	InfoDefaultDenyNetworkPolicyExists
 	// WarningAllowAllIngressNetworkPolicyExists occurs when a namespace has an allow all ingress NetworkPolicy
diff --git a/cmd/namespaces.go b/cmd/namespaces.go
new file mode 100644
index 00000000..ff726d0c
--- /dev/null
+++ b/cmd/namespaces.go
@@ -0,0 +1,128 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// Checks the PodSecurityContext for NIX
+func checkNamespaces(podSpec PodSpecV1, result *Result) {
+	if labelExists, reason := getPodOverrideLabelReason(result, "allow-namespace-host-network"); labelExists {
+		if podSpec.HostNetwork {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorNamespaceHostNetworkTrueAllowed,
+				kind:     Warn,
+				message:  "Allowed setting hostNetwork to true",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		} else {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorMisconfiguredKubeauditAllow,
+				kind:     Warn,
+				message:  "Allowed setting hostNetwork to true, but it is set to false",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		}
+	} else if podSpec.HostNetwork {
+		occ := Occurrence{
+			podHost: podSpec.Hostname,
+			id:      ErrorNamespaceHostNetworkTrue,
+			kind:    Error,
+			message: "hostNetwork is set to true in podSpec, please set to false!",
+		}
+		result.Occurrences = append(result.Occurrences, occ)
+	}
+	if labelExists, reason := getPodOverrideLabelReason(result, "allow-namespace-host-IPC"); labelExists {
+		if podSpec.HostIPC {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorNamespaceHostIPCTrueAllowed,
+				kind:     Warn,
+				message:  "Allowed setting hostIPC to true",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		} else {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorMisconfiguredKubeauditAllow,
+				kind:     Warn,
+				message:  "Allowed setting hostIPC to true, but it is set to false",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		}
+	} else if podSpec.HostIPC {
+		occ := Occurrence{
+			podHost: podSpec.Hostname,
+			id:      ErrorNamespaceHostIPCTrue,
+			kind:    Error,
+			message: "hostIPC is set to true in podSpec, please set to false!",
+		}
+		result.Occurrences = append(result.Occurrences, occ)
+	}
+	if labelExists, reason := getPodOverrideLabelReason(result, "allow-namespace-host-PID"); labelExists {
+		if podSpec.HostPID {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorNamespaceHostPIDTrueAllowed,
+				kind:     Warn,
+				message:  "Allowed setting hostPID to true",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		} else {
+			occ := Occurrence{
+				podHost:  podSpec.Hostname,
+				id:       ErrorMisconfiguredKubeauditAllow,
+				kind:     Warn,
+				message:  "Allowed setting hostPID to true, but it is set to false",
+				metadata: Metadata{"Reason": prettifyReason(reason)},
+			}
+			result.Occurrences = append(result.Occurrences, occ)
+		}
+	} else if podSpec.HostPID {
+		occ := Occurrence{
+			podHost: podSpec.Hostname,
+			id:      ErrorNamespaceHostPIDTrue,
+			kind:    Error,
+			message: "hostPID is set to true in podSpec, please set to false!",
+		}
+		result.Occurrences = append(result.Occurrences, occ)
+	}
+	return
+}
+
+func auditNamespaces(resource Resource) (results []Result) {
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		podSpec := kubeType.Spec
+		result, _, _ := newResultFromResource(resource)
+		checkNamespaces(podSpec, result)
+		if len(result.Occurrences) > 0 {
+			results = append(results, *result)
+		}
+	}
+	return
+}
+
+// runAsNonRootCmd represents the runAsNonRoot command
+var namespacesCmd = &cobra.Command{
+	Use:   "namespaces",
+	Short: "Audit Pods for hostNetwork, hostIPC and hostPID",
+	Long: `This command determines which pods in a kubernetes cluster
+are running with hostNetwork, hostIPC or hostPID set to true.
+	
+A PASS is given when a pod has hostNetwork, hostIPC and hostPID set to false or not set
+A FAIL is generated when a pod has at least one of hostNetwork, hostIPC or hostPID set to true
+
+kubeaudit namespaces`,
+	Run: runAudit(auditNamespaces),
+}
+
+func init() {
+	RootCmd.AddCommand(namespacesCmd)
+}
diff --git a/cmd/namespaces_fixes.go b/cmd/namespaces_fixes.go
new file mode 100644
index 00000000..3d7cfc3e
--- /dev/null
+++ b/cmd/namespaces_fixes.go
@@ -0,0 +1,18 @@
+package cmd
+
+func fixNamespace(result *Result, resource Resource) Resource {
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		if labelExists, _ := getPodOverrideLabelReason(result, "allow-namespace-host-network"); !labelExists {
+			kubeType.Spec.HostNetwork = false
+		}
+		if labelExists, _ := getPodOverrideLabelReason(result, "allow-namespace-host-PID"); !labelExists {
+			kubeType.Spec.HostPID = false
+		}
+		if labelExists, _ := getPodOverrideLabelReason(result, "allow-namespace-host-IPC"); !labelExists {
+			kubeType.Spec.HostIPC = false
+		}
+		return kubeType.DeepCopyObject()
+	}
+	return resource
+}
diff --git a/cmd/namespaces_fixes_test.go b/cmd/namespaces_fixes_test.go
new file mode 100644
index 00000000..2617606a
--- /dev/null
+++ b/cmd/namespaces_fixes_test.go
@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"testing"
+)
+
+func TestFixHostNetworkTrueV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_network_true_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.False(kubeType.Spec.HostNetwork)
+	}
+}
+func TestFixHostIPCTrueV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_IPC_true_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.False(kubeType.Spec.HostNetwork)
+	}
+}
+func TestFixHostPIDTrueV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_PID_true_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.False(kubeType.Spec.HostNetwork)
+	}
+}
+
+func TestFixHostNetworkTrueAllowedV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_network_true_allowed_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.True(kubeType.Spec.HostNetwork)
+	}
+}
+func TestFixHostIPCTrueAllowedV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_IPC_true_allowed_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.True(kubeType.Spec.HostIPC)
+	}
+}
+func TestFixHostPIDTrueAllowedV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "host_PID_true_allowed_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.True(kubeType.Spec.HostPID)
+	}
+}
+
+func TestFixNamespacesMisconfiguredAllowV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "namespaces_misconfigured_allow_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.False(kubeType.Spec.HostNetwork)
+	}
+}
+func TestFixNamespacesAllTrueV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "namespaces_all_true_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.False(kubeType.Spec.HostNetwork)
+		assert.False(kubeType.Spec.HostPID)
+		assert.False(kubeType.Spec.HostIPC)
+	}
+}
+func TestFixNamespacesAllTrueAllowedV1(t *testing.T) {
+	assert, resource := FixTestSetup(t, "namespaces_all_true_allowed_v1.yml", auditNamespaces)
+	switch kubeType := resource.(type) {
+	case *PodV1:
+		assert.True(kubeType.Spec.HostNetwork)
+		assert.True(kubeType.Spec.HostPID)
+		assert.True(kubeType.Spec.HostIPC)
+	}
+}
diff --git a/cmd/namespaces_test.go b/cmd/namespaces_test.go
new file mode 100644
index 00000000..3d605a12
--- /dev/null
+++ b/cmd/namespaces_test.go
@@ -0,0 +1,45 @@
+package cmd
+
+import "testing"
+
+func TestHostNetworkTrueV1(t *testing.T) {
+	runAuditTest(t, "host_network_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostNetworkTrue})
+}
+
+func TestHostIPCTrueV1(t *testing.T) {
+	runAuditTest(t, "host_IPC_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostIPCTrue})
+}
+
+func TestHostPIDTrueV1(t *testing.T) {
+	runAuditTest(t, "host_PID_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostPIDTrue})
+}
+func TestHostNetworkTrueAllowedV1(t *testing.T) {
+	runAuditTest(t, "host_network_true_allowed_v1.yml", auditNamespaces, []int{ErrorNamespaceHostNetworkTrueAllowed})
+}
+
+func TestHostIPCTrueAllowedV1(t *testing.T) {
+	runAuditTest(t, "host_IPC_true_allowed_v1.yml", auditNamespaces, []int{ErrorNamespaceHostIPCTrueAllowed})
+}
+
+func TestHostPIDTrueAllowedV1(t *testing.T) {
+	runAuditTest(t, "host_PID_true_allowed_v1.yml", auditNamespaces, []int{ErrorNamespaceHostPIDTrueAllowed})
+}
+func TestNamespacesMisconfiguredAllowV1(t *testing.T) {
+	runAuditTest(t, "namespaces_misconfigured_allow_v1.yml", auditNamespaces, []int{ErrorMisconfiguredKubeauditAllow})
+}
+
+func TestNamespacesAllTrueV1(t *testing.T) {
+	runAuditTest(t, "namespaces_all_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostPIDTrue, ErrorNamespaceHostIPCTrue, ErrorNamespaceHostNetworkTrue})
+}
+
+func TestNamespacesAllTrueAllowedV1(t *testing.T) {
+	runAuditTest(t, "namespaces_all_true_allowed_v1.yml", auditNamespaces, []int{ErrorNamespaceHostPIDTrueAllowed, ErrorNamespaceHostIPCTrueAllowed, ErrorNamespaceHostNetworkTrueAllowed})
+}
+
+func TestAllowNamespacesFromConfig(t *testing.T) {
+	rootConfig.auditConfig = "../configs/allow_namespaces_from_config.yml"
+	runAuditTest(t, "host_network_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostNetworkTrueAllowed, ErrorMisconfiguredKubeauditAllow})
+	runAuditTest(t, "host_IPC_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostIPCTrueAllowed, ErrorMisconfiguredKubeauditAllow})
+	runAuditTest(t, "host_PID_true_v1.yml", auditNamespaces, []int{ErrorNamespaceHostPIDTrueAllowed, ErrorMisconfiguredKubeauditAllow})
+	rootConfig.auditConfig = ""
+}
diff --git a/configs/allow_namespaces_from_config.yml b/configs/allow_namespaces_from_config.yml
new file mode 100644
index 00000000..f902bd18
--- /dev/null
+++ b/configs/allow_namespaces_from_config.yml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: kubeauditConfig
+audit: true
+spec:
+  overrides:
+    namespace-host-network: allow                    # Set to `allow` to skip auditing potential vulnerability
+    namespace-host-IPC: allow                        # Set to `allow` to skip auditing potential vulnerability
+    namespace-host-PID: allow                        # Set to `allow` to skip auditing potential vulnerability
diff --git a/configs/kubeauditConfig.yaml b/configs/kubeauditConfig.yaml
index 964d7626..7cc187c2 100644
--- a/configs/kubeauditConfig.yaml
+++ b/configs/kubeauditConfig.yaml
@@ -26,5 +26,8 @@ spec:
     run-as-root: deny
     automount-service-account-token: deny
     read-only-root-filesystem-false: deny
-    non-default-deny-egress-network-policy: allow
-    non-default-deny-ingress-network-policy: allow
+    non-default-deny-egress-network-policy: deny
+    non-default-deny-ingress-network-policy: deny
+    namespace-host-network: deny                    
+    namespace-host-IPC: deny                       
+    namespace-host-PID: deny 
diff --git a/fixtures/host_IPC_true_allowed_v1.yml b/fixtures/host_IPC_true_allowed_v1.yml
new file mode 100644
index 00000000..b52aa074
--- /dev/null
+++ b/fixtures/host_IPC_true_allowed_v1.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+    labels:
+        audit.kubernetes.io/pod/allow-namespace-host-IPC: "some reason"
+spec:
+    containers:
+    - name: container
+    hostIPC: true
diff --git a/fixtures/host_IPC_true_v1.yml b/fixtures/host_IPC_true_v1.yml
new file mode 100644
index 00000000..93090af6
--- /dev/null
+++ b/fixtures/host_IPC_true_v1.yml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+spec:
+    containers:
+    - name: container
+    hostIPC: true
diff --git a/fixtures/host_PID_true_allowed_v1.yml b/fixtures/host_PID_true_allowed_v1.yml
new file mode 100644
index 00000000..195f4df6
--- /dev/null
+++ b/fixtures/host_PID_true_allowed_v1.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+    labels:
+        audit.kubernetes.io/pod/allow-namespace-host-PID: "some reason"
+spec:
+    containers:
+    - name: container
+    hostPID: true
diff --git a/fixtures/host_PID_true_v1.yml b/fixtures/host_PID_true_v1.yml
new file mode 100644
index 00000000..6ae3ee75
--- /dev/null
+++ b/fixtures/host_PID_true_v1.yml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+spec:
+    containers:
+    - name: container
+    hostPID: true
diff --git a/fixtures/host_network_true_allowed_v1.yml b/fixtures/host_network_true_allowed_v1.yml
new file mode 100644
index 00000000..a4e962f0
--- /dev/null
+++ b/fixtures/host_network_true_allowed_v1.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+    labels:
+        audit.kubernetes.io/pod/allow-namespace-host-network: "some reason"
+spec:
+    containers:
+    - name: container
+    hostNetwork: true
diff --git a/fixtures/host_network_true_v1.yml b/fixtures/host_network_true_v1.yml
new file mode 100644
index 00000000..1b89b593
--- /dev/null
+++ b/fixtures/host_network_true_v1.yml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+spec:
+    containers:
+    - name: container
+    hostNetwork: true
diff --git a/fixtures/namespaces_all_true_allowed_v1.yml b/fixtures/namespaces_all_true_allowed_v1.yml
new file mode 100644
index 00000000..9e23bfae
--- /dev/null
+++ b/fixtures/namespaces_all_true_allowed_v1.yml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+    labels:
+        audit.kubernetes.io/pod/allow-namespace-host-network: "some reason"
+        audit.kubernetes.io/pod/allow-namespace-host-IPC: "some reason"
+        audit.kubernetes.io/pod/allow-namespace-host-PID: "some reason"
+spec:
+    containers:
+    - name: container
+    hostPID: true
+    hostIPC: true
+    hostNetwork: true
diff --git a/fixtures/namespaces_all_true_v1.yml b/fixtures/namespaces_all_true_v1.yml
new file mode 100644
index 00000000..ca1517dd
--- /dev/null
+++ b/fixtures/namespaces_all_true_v1.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+spec:
+    containers:
+    - name: container
+    hostPID: true
+    hostIPC: true
+    hostNetwork: true
diff --git a/fixtures/namespaces_misconfigured_allow_v1.yml b/fixtures/namespaces_misconfigured_allow_v1.yml
new file mode 100644
index 00000000..76a772f0
--- /dev/null
+++ b/fixtures/namespaces_misconfigured_allow_v1.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+    name: Pod
+    namespace: PodNamespace
+    labels:
+        audit.kubernetes.io/pod/allow-namespace-host-network: "some reason"
+spec:
+    containers:
+    - name: container
+    hostNetwork: false