Containers share host process ID namespace
Description
Namespaces provide isolation for running processes and limit access to system resources, without the running process agnostic to its limitations.
To limit an attacker's options to escalate privileges from within a container, we recommend you configure containers to refrain from sharing the host process ID namespace.
Fix - Buildtime
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: hostPID (Optional)
If true, the Pod uses the host's PID namespace. Default to false.
```yaml Pod
apiVersion: v1
kind: Pod
metadata:
name:
```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: <name>
spec:
schedule: <>
jobTemplate:
spec:
template:
spec:
- hostPID: true
yaml Other
apiVersion: <>
kind: <kind>
metadata:
name: <name>
spec:
template:
spec:
- hostPID: true