Pod containers should not share the host process ID namespace

Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container. This is required for proper isolation between the container and the underlying host.

Risk Level: Critical
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.AC.13
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod should not have spec.hostPID=true

REMEDIATION

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • Container Admission Control
  • Container Admission Control 1.0