turbot/steampipe-mod-kubernetes-compliance

Benchmark: Containers should not share the host process namespace

Description

Containers should not share the host process PID or IPC namespace. Sharing the host’s process namespace allows the container to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Containers should not share the host process namespace.

Run this benchmark in your terminal:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_hostpid_hostipc_sharing_disabled

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_hostpid_hostipc_sharing_disabled --share

Controls

Tags