Host process ID namespace sharing is allowed
ID |
share_host_pid |
Severity |
low |
Vendor |
Kubernetes |
Resource |
General Security |
Tags |
reachable |
Description
When process namespace sharing enabled, processes in a container are visible to all other containers in that pod.
This breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables.
We recommend you do not admit containers wishing to share the host process ID namespace.
Examples
apiVersion: policy/v1beta1
kind: Pod
metadata:
name: bad
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostPID: true (1)| 1 | Configuration hostPID set to true means process namespace sharing is enabled. |
Mitigation / Fix
apiVersion: policy/v1beta1
kind: Pod
metadata:
name: good
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: false
hostPorts:
- min: 0
max: 65535
hostPID: false (1)| 1 | Configuration hostPID set to false means process namespace sharing is enabled. |