Prevent Proc Mount Overwrite 1.1.5

The directory /proc is a virtual filesystem containing process information of a system like system memory, mounted devices etc. Some of this information is masked for security reasons. The policy prevents this default to be overwritten by securityContext.procMount.

Note that this policy is part of the following security standards:

  • k8s/baseline: Minimally restrictive policy while preventing known privilege escalations.
  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A4
  • Host Access
  • Security
  • bsi/kubernetes
  • k8s/baseline
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob


apiVersion: v1
kind: Pod
  name: procmount-example
  - name: hello
    image: dummy-cronjob:invalid
      procMount: Default
  - name: nginx
    image: nginx:1.14.2
-     procMount: Unmasked

Risk acceptance

Use the annotation as on the example below.
apiVersion: v1
kind: Pod
  name: your-pod
  annotations: |-
      This container must use custom proc mount.