lacework-global-649

Profile Applicability

• Level 1

Description

Do not generally permit the running of containers with the hostPID flag set to true.

Rationale

A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container.

Impact

Pods defined with spec.hostPID: true will not be permitted.

Audit

The following command returns pods which have the spec.hostPID flag set to true.

Run the command and verify that it does not return any pods:

kubectl get pods -o jsonpath="{range.items[?(@.spec.hostPID==true)]}{.metadata.name}{'\n'}{end}"

Remediation

Update pod configurations to ensure that the spec.hostPID flag is false or not set (defaults to false if not set).

The following example explicitly sets the hostPID flag to false:

apiVersion: v1
kind: Pod
metadata:
    name: example-pod
spec:
    hostPID: false
    containers:
    - name: hello-world
      image: hello-world

References

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#podspec-v1-core
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

4.2.2 Minimize the execution of container workloads sharing the host process ID namespace (Automated)​

Profile Applicability​

Description​

Rationale​

Impact​

Audit​

Remediation​

References​

4.2.2 Minimize the execution of container workloads sharing the host process ID namespace (Automated)