Container runs unmasked

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 0ad60203-c050-4115-83b6-b94bde92541d

Cloud Provider: Kubernetes

Platform: Terraform

Severity: High

Category: Insecure Configurations

Learn More

Description

Checks whether a container has unmasked access to the host’s /proc filesystem, which allows retrieval of sensitive information and could permit changing kernel parameters at runtime. The rule verifies that kubernetes_pod_security_policy.spec.allowed_proc_mount_types does not contain the value Unmasked and that allowed_proc_mount_types includes Default as the expected value. Unmasked access to /proc increases the attack surface and can enable privilege escalation or other runtime compromises.

Compliant Code Examples

resource "kubernetes_pod_security_policy" "example" {
  metadata {
    name = "terraform-example"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false
    allowed_proc_mount_types   = ["Default"]

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
      rule = "MustRunAsNonRoot"
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}

Non-Compliant Code Examples

resource "kubernetes_pod_security_policy" "example" {
  metadata {
    name = "terraform-example"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false
    allowed_proc_mount_types   = ["Unmasked"]

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
      rule = "MustRunAsNonRoot"
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}