For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-container-runs-unmasked.md.
A documentation index is available at /llms.txt.
Containers should not have full (unmasked) access to the host’s /proc filesystem, as this can expose sensitive information and allow kernel parameter changes. A PodSecurityPolicy’s spec.allowedProcMountTypes must not include the value “Unmasked” and should include “Default” to restrict proc mount behavior. Allowing “Unmasked” increases the risk of information disclosure and potential host compromise.
Compliant Code Examples
#this code is a correct code for which the query should not find any resultapiVersion:policy/v1beta1kind:PodSecurityPolicymetadata:annotations:kubernetes.io/description:'restricted psp for all standard use-cases'seccomp.security.alpha.kubernetes.io/allowedProfileNames:docker/defaultseccomp.security.alpha.kubernetes.io/defaultProfileName:docker/defaultname:restrictedspec:allowPrivilegeEscalation:false# Disallow privilege escalation to any special capabilitiesallowedProcMountTypes:- Default # Disallow full /proc mounts, only allow the "default" masked /procfsGroup:# disallow root fsGroups for volume mountsrule:MustRunAsranges:- max:65535min:1hostIPC:false# disallow sharing the host IPC namespacehostNetwork:false# disallow host networkinghostPID:false# disallow sharing the host process ID namespacehostPorts:# disallow low host ports (this seems to only apply to eth0 on EKS)- max:65535min:1025privileged:false# disallow privileged podsreadOnlyRootFilesystem:true# change default from 'false' to 'true'requiredDropCapabilities:# Drop all privileges in the Linux kernel- AUDIT_CONTROL- CHOWNrunAsGroup:# disallow GID 0 for pods (block root group)rule:MustRunAsranges:- max:65535min:1runAsUser:# disallow UID 0 for podsrule:MustRunAsNonRootseLinux:# Harness for SELinuxrule:RunAsAnysupplementalGroups:# restrict supplemental GIDs to be non-zero (non-root)rule:MustRunAsranges:- max:65535min:1volumes:# allow only these volume types- configMap- downwardAPI- emptyDir- projected- secret
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)apiVersion:policy/v1beta1kind:PodSecurityPolicymetadata:annotations:kubernetes.io/description:'restricted psp for all standard use-cases'seccomp.security.alpha.kubernetes.io/allowedProfileNames:docker/defaultseccomp.security.alpha.kubernetes.io/defaultProfileName:docker/defaultname:restrictedspec:allowPrivilegeEscalation:false# Disallow privilege escalation to any special capabilitiesallowedProcMountTypes:- UnmaskedfsGroup:# disallow root fsGroups for volume mountsrule:MustRunAsranges:- max:65535min:1hostIPC:false# disallow sharing the host IPC namespacehostNetwork:false# disallow host networkinghostPID:false# disallow sharing the host process ID namespacehostPorts:# disallow low host ports (this seems to only apply to eth0 on EKS)- max:65535min:1025privileged:false# disallow privileged podsreadOnlyRootFilesystem:true# change default from 'false' to 'true'requiredDropCapabilities:# Drop all privileges in the Linux kernel- AUDIT_CONTROL- CHOWNrunAsGroup:# disallow GID 0 for pods (block root group)rule:MustRunAsranges:- max:65535min:1runAsUser:# disallow UID 0 for podsrule:MustRunAsNonRootseLinux:# Harness for SELinuxrule:RunAsAnysupplementalGroups:# restrict supplemental GIDs to be non-zero (non-root)rule:MustRunAsranges:- max:65535min:1volumes:# allow only these volume types- configMap- downwardAPI- emptyDir- projected- secret
1
2
rulesets:- Kubernetes # Rules to enforce .
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
