Shared host PID namespace
This product is not supported for your selected
Datadog site. (
).
Id: 302736f4-b16c-41b8-befe-c0baffa0bd9d
Cloud Provider: k8s
Framework: Kubernetes
Severity: High
Category: Insecure Configurations
Learn More
Description
Containers should not share the host process ID namespace.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
hostPID: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
apiVersion: serving.knative.dev/v1
kind: Configuration
metadata:
name: dummy-config
namespace: knative-sequence
spec:
template:
spec:
hostPID: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
Non-Compliant Code Examples
apiVersion: serving.knative.dev/v1
kind: Configuration
metadata:
name: dummy-config
namespace: knative-sequence
spec:
template:
spec:
hostPID: true
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
hostPID: true
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
