Control: Pod Security Policy should prohibit containers from sharing the host process namespaces
Description
Pod Security Policy `hostPID` and `hostIPC` controls whether the Pod may share the host process namespaces. Containers in a Pod should not share the host process PID or IPC namespace. Sharing the host’s process namespace allows the container to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_security_policy_hostpid_hostipc_sharing_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_security_policy_hostpid_hostipc_sharing_disabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when host_pid or host_ipc then 'alarm' else 'ok' end as status, case when host_pid then 'Pod security policy ' || name || ' pods can share host PID namespaces.' when host_ipc then 'Pod security policy ' || name || ' pods can share host IPC namespaces.' else 'Pod security policy ' || name || ' pods cannot share host process namespaces.' end as reason , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_security_policy;