Prevent Proc Mount Overwrite 1.1.5

The directory /proc is a virtual filesystem containing process information of a system like system memory, mounted devices etc. Some of this information is masked for security reasons. The policy prevents this default to be overwritten by securityContext.procMount.


Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A4
  • Host Access
  • Security
  • bsi/kubernetes
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: v1
kind: Pod
metadata:
  name: procmount-example
spec:
  containers:
  - name: hello
    image: dummy-cronjob:invalid
    securityContext:
      procMount: Default
  - name: nginx
    image: nginx:1.14.2
    securityContext:
-     procMount: Unmasked

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventprocmountoverwrite as on the example below.
apiVersion: v1
kind: Pod
metadata:
  name: your-pod
  annotations:
    securitytower.io/policy.exclusion.preventprocmountoverwrite: |-
      This container must use custom proc mount.
...