Benchmark: Containers should not share the host process namespace
Description
Containers should not share the host process PID or IPC namespace. Sharing the host’s process namespace allows the container to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Containers should not share the host process namespace.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_hostpid_hostipc_sharing_disabled
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_hostpid_hostipc_sharing_disabled --share
Controls
- CronJob containers should not share the host process namespace
- DaemonSet containers should not share the host process namespace
- Deployment containers should not share the host process namespace
- Job containers should not share the host process namespace
- Pod containers should not share the host process namespace
- Pod Security Policy should prohibit containers from sharing the host process namespaces
- ReplicaSet containers should not share the host process namespace
- ReplicationController containers should not share the host process namespace
- StatefulSet containers should not share the host process namespace