Containers should not use the host PID namespace
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Kubernetes | PERMISSION |
Description
Process IDentifier (PID) namespaces contributes to isolating containers, by limiting their processes interactions to other processes in the same namespace. Using the host PID namespace is heavily discouraged, as it loses the security benefits from separating containers.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
In case of a compromised container:
- Escalation attacks
- Leak of host processes data (environment variables, configuration...)
Remediation guidelines
Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostPID' to 'false'.