PSP allows sharing host IPC

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PSP allows sharing host IPC

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 80f93444-b240-4ebb-a4c6-5c40b76c04ea

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: High

Category: Insecure Configurations

Learn More

Provider Reference

Description

PodSecurityPolicy ‘spec.hostIPC’ allows containers to share the host IPC namespace when set to true. Sharing the host IPC namespace lets processes in a container observe or interfere with IPC resources of other containers or the host, increasing the risk of information disclosure and privilege escalation. ‘spec.hostIPC’ should be set to false or left undefined to preserve IPC isolation.

Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Non-Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostIPC: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny