iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Containers that share the host’s process ID (PID) namespace have the ability to access and interact with processes running on the host system. This significantly increases the risk of container breakout and privilege escalation. This check ensures that containers that do not require access to the host’s process ID namespace are prevented from sharing it.

Rationale:
 Allowing containers to share the host’s PID namespace can enable them to see and manipulate processes running on the host, which can lead to security vulnerabilities. Containers should only share the host PID namespace if absolutely necessary, and limiting this access reduces the potential attack surface and minimizes risks to the host system.

Impact:

• Pros:

  • Reduces the risk of containers gaining unauthorized access to host processes.

  • Enhances security by preventing process visibility between the container and host.

• Cons:

  • Some applications, such as debugging or monitoring tools, may require access to the host PID namespace.

  • Restricting access may impact certain containerized workloads.

Default Value:
 By default, Kubernetes does not allow containers to share the host’s PID namespace unless explicitly configured to do so.

Pre-requisites:
 Ensure that PodSecurityPolicies or other security mechanisms are in place to prevent containers from sharing the host’s PID namespace unless necessary.

Remediation

Test Plan:

Using Azure Console:

1. Review the pod or container specifications to check if the hostPID flag is set to true in any pods.

2. Ensure that containers which do not need access to the host process namespace do not have hostPID: true enabled.

Using Azure CLI:

1. Use the following command to check the hostPID setting for containers:
   

    kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostPID}'

2. Ensure that the hostPID field is not set to true unless absolutely required.

Implementation Plan:

Using Azure Console:

1. Access the pod or container specification settings.

2. Ensure that the hostPID field is set to false or not set at all for pods that do not need to share the host process namespace.

3. For any pods that require access to the host process namespace, ensure that the need is legitimate and the container has adequate security controls.

Using Azure CLI:

1. Update the pod configuration to prevent the container from sharing the host PID namespace by editing the pod spec:
   

    kubectl edit deployment <deployment-name> --namespace=<namespace>

2. Add or modify the hostPID: false setting in the spec.
   

Backout Plan:

Using Azure Console:

1. If restricting access to the host PID namespace causes issues, revert the configuration to allow specific containers to access it by setting hostPID: true.
   

Using Azure CLI:

1. Revert the hostPID setting by editing the pod or container spec to allow access to the host PID namespace:
   

    kubectl edit deployment <deployment-name> --namespace=<namespace>

2. Set hostPID: true where necessary.
   

References:

1. Kubernetes Pod Security Policies Documentation

2. Kubernetes Security Best Practices