Containers share host process ID namespace
Description
Namespaces provide isolation for running processes and limit access to system resources, without the running process agnostic to its limitations. To limit an attacker's options to escalate privileges from within a container, we recommend you configure containers to refrain from sharing the host process ID namespace.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
- hostPID: trueRemediation
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Arguments: hostPID (Optional) If true, the Pod uses the host's PID namespace.
Default to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1095 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_17 |