iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:
 Windows HostProcess Containers allow containers to run directly on the Windows host, with access to the host’s resources and kernel. While useful in certain scenarios, allowing HostProcess containers introduces significant security risks, as it provides containers with broad privileges over the Windows host system. This check ensures that the admission of Windows HostProcess Containers is minimized or restricted to only those workloads that absolutely require this elevated privilege.

Rationale:
 Allowing HostProcess containers grants containers the ability to directly interact with the underlying host system, which can lead to security vulnerabilities. For example, a compromised HostProcess container could result in unauthorized access or modification of the host system. Minimizing the use of HostProcess containers reduces the risk of these vulnerabilities, enforcing the principle of least privilege for containers running on Windows hosts.

Impact:

• Pros:
  
  

  • Reduces the attack surface by limiting container access to the host system.
    
    

  • Improves security by preventing containers from gaining unnecessary host privileges.
    
    

• Cons:
  
  

  • Some applications may require HostProcess containers to access host-level resources such as network or file system features.
    
    

  • Requires extra configuration to ensure that only trusted workloads use HostProcess containers.
    
    

Default Value:
 By default, Kubernetes allows Windows HostProcess Containers if they are explicitly specified in pod definitions. No restrictions are in place unless specifically configured.

Pre-requisites:
 Ensure that proper PodSecurityPolicies (PSPs) or admission controllers are configured to restrict the use of Windows HostProcess Containers unless needed for specific workloads.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   
   

2. Review the Pod specifications and check if any containers are specified to run as HostProcess containers.
   
   

3. Ensure that HostProcess containers are only used in trusted workloads, and review the PodSecurityPolicies to restrict unapproved usage.
   
   

Using Azure CLI:

1. Use the following command to list all pods and check for the use of HostProcess containers:
   

    kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.windowsOptions.hostProcess}'

   
   

2. Ensure that HostProcess containers are not used unless explicitly required for specific workloads.
   
   

3. Verify that PodSecurityPolicy or similar security configurations are in place to restrict the use of HostProcess containers.
   
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to Kubernetes Services and go to PodSecurityPolicies or Admission Controllers to configure the necessary restrictions.
   
   

Apply a PodSecurityPolicy that restricts the use of HostProcess containers unless required by trusted workloads. For example:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-windows-hostprocess
spec:
  windowsOptions:
    hostProcess: false

2. Ensure that the PodSecurityPolicy is enforced by configuring RBAC to control access to this policy.
   
   

Using Azure CLI:

Create a PodSecurityPolicy to restrict Windows HostProcess Containers by creating a YAML configuration:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-windows-hostprocess
spec:
  windowsOptions:
    hostProcess: false

1. Apply the policy using the following command:
   

    kubectl apply -f pod-security-policy.yaml

   
   

2. Assign the PodSecurityPolicy to the appropriate RBAC roles using the following command:
   

    kubectl create rolebinding psp-binding --role=admin --user=<user-name> --namespace=<namespace-name>

   
   

Backout Plan:

Using Azure Console:

1. If the restriction on Windows HostProcess Containers causes issues, revert the configuration in the Azure portal by disabling the PodSecurityPolicy or adjusting the security context.
   
   

Using Azure CLI:

1. Revert the PodSecurityPolicy configuration by deleting it with the following command:
   

    kubectl delete podsecuritypolicy restrict-windows-hostprocess

   
   

2. Alternatively, modify the securityContext in the pod specifications to allow HostProcess containers if necessary.
   
   

References:

1. Windows Containers in Kubernetes
   
   

2. Azure Kubernetes Service (AKS) Windows Node Pool Documentation
   
   

3. Kubernetes PodSecurityPolicy Documentation