Control: Minimize the admission of containers wishing to share the host process ID namespace
Description
A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_security_policy_hostpid_sharing_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_security_policy_hostpid_sharing_disabled --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when host_pid then 'alarm' else 'ok' end as status, case when host_pid then 'Pod security policy ' || name || ' pods can share host PID namespaces.' else 'Pod security policy ' || name || ' pods cannot share host PID namespaces.' end as reason , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_security_policy;