Containers wishing to share host process ID namespace admitted

Description

When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod. This feature can enable configuring cooperating containers that do not include debugging tools, such as a logger sidecar container or troubleshooting container images. Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables. We recommend you do not admit containers wishing to share the host process ID namespace.

Code Example

yaml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
+ hostPID: false

Remediation

Kubernetes

Resource: PodSecurityPolicy
Arguments: hostPID (Optional) When set to false, Pod are unable to use their host's PID namespace.

Rule Details

Field	Value
ID	IAC-1079
Severity	MEDIUM
IaC Type	Kubernetes
Frameworks	Kubernetes,
Checkov ID	CKV_K8S_1

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Containers wishing to share host process ID namespace admitted ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Containers wishing to share host process ID namespace admitted

Description

Code Example

Remediation

Rule Details

References