Prevent Host PID 1.1.6

Enforces that no container is able to use the PID namespace of the node it is running on. The PID namespace is a crucial part when it comes to container isolation. This policy denies access to the host's process IDs in order to prevent leaking information such as environment variables and configuration.


Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.2.2
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A16
  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A4
  • Host Access
  • Security
  • bsi/containerization
  • bsi/kubernetes
  • cis/kubernetes
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
-     hostPID: true
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventhostpid as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.preventhostpid: |-
      This container need to use host namespaces for following reasons.
...