Containers should not use the host PID namespace
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | Kubernetes | PERMISSION |
Description
Process IDentifier (PID) namespaces contributes to isolating containers, by limiting their processes interactions to other processes in the same namespace. Using the host PID namespace is heavily discouraged, as it loses the security benefits from separating containers.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | False |
In case of a compromised container:
- Escalation attacks
- Leak of host processes data (environment variables, configuration...)
Remediation guidelines
Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostPID' to 'false'.
References
Was this page helpful?
