When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod. This feature can enable configuring cooperating containers that do not include debugging tools, such as a logger sidecar container or troubleshooting container images.
Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables.
We recommend you do not admit containers wishing to share the host process ID namespace.
- Resource: PodSecurityPolicy
- Argument: hostPID (Optional)
When set to false, Pod are unable to use their host's PID namespace.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: <policy name> spec: + hostPID: false
To use a PodSecurityPolicy resource the requesting user or target pod’s service account must be authorized to use the policy. The preferred method is to grant access to the service account. In the following example we use RBAC, a standard Kubernetes authorization mode.
A Role or ClusterRole must grant access to use the desired policies.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: <role name> rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - <policy name>
The ClusterRole is then bound to the authorized service(s):
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <binding name> roleRef: kind: ClusterRole name: <role name> apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: <authorized service account name> namespace: <authorized pod namespace>
Updated about 1 year ago