Containers wishing to share host process ID namespace admitted
Description
When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod. This feature can enable configuring cooperating containers that do not include debugging tools, such as a logger sidecar container or troubleshooting container images.
Sharing the host process ID namespace breaks the isolation between container images and can make processes visible to other containers in the pod. This includes all information in the /proc directory, which can sometimes include passwords or keys, passed as environment variables.
We recommend you do not admit containers wishing to share the host process ID namespace.
Fix - Buildtime
Kubernetes
- Resource: PodSecurityPolicy
- Argument: hostPID (Optional)
When set to false, Pod are unable to use their host's PID namespace.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
+ hostPID: false
To use a PodSecurityPolicy resource the requesting user or target pod’s service account must be authorized to use the policy. The preferred method is to grant access to the service account. In the following example we use RBAC, a standard Kubernetes authorization mode.
A Role or ClusterRole must grant access to use the desired policies.
Kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <role name>
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- <policy name>
The ClusterRole is then bound to the authorized service(s):
Kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <binding name>
roleRef:
kind: ClusterRole
name: <role name>
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: <authorized service account name>
namespace: <authorized pod namespace>