PSP allows sharing host PID

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PSP allows sharing host PID

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 91dacd0e-d189-4a9c-8272-5999a3cc32d9

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

PodSecurityPolicy allows containers to share the host process ID namespace when ‘spec.hostPID’ is true. Sharing the host PID namespace lets containers see and interact with host processes, increasing the risk of information exposure and privilege escalation. This rule flags policies where ‘spec.hostPID’ is true; it should be false or undefined.

Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Non-Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny