PSP allows sharing host PID

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PSP allows sharing host PID

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

Id: 91dacd0e-d189-4a9c-8272-5999a3cc32d9

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

PodSecurityPolicy allows containers to share the host process ID namespace when ‘spec.hostPID’ is true. Sharing the host PID namespace lets containers see and interact with host processes, increasing the risk of information exposure and privilege escalation. This rule flags policies where ‘spec.hostPID’ is true; it should be false or undefined.

Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Non-Compliant Code Examples

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny