Ensure containers do not share host process ID namespace

Error: Containers share host process ID namespace

Bridgecrew Policy ID: BC_K8S_16
Checkov Check ID: CKV_K8S_17
Severity: MEDIUM

Containers share host process ID namespace

Description

Namespaces provide isolation for running processes and limit access to system resources, without the running process agnostic to its limitations.

To limit an attacker's options to escalate privileges from within a container, we recommend you configure containers to refrain from sharing the host process ID namespace.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: hostPID (Optional)
    If true, the Pod uses the host's PID namespace. Default to false.
apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
- hostPID: true
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
-          hostPID: true
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
  	spec:
-    	hostPID: true