Profile Applicability:
Level 1
Description:
The hostPID setting in Kubernetes allows containers to share the host's process ID (PID) namespace. While this can be useful for specific use cases, such as debugging or monitoring, it poses significant security risks. This check ensures that containers are not allowed to share the host process ID namespace unless explicitly required, reducing the risk of malicious processes within the container gaining access to the host system's processes.
Rationale:
Allowing containers to share the hostPID namespace provides them with access to the host's process table, enabling them to view or manipulate other processes running on the host. This could lead to potential attacks such as process injection, privilege escalation, or unauthorized access to critical processes. By minimizing the use of hostPID, you reduce the attack surface and improve the security of your Kubernetes cluster.
Impact:
Pros:
Reduces the potential attack surface by preventing containers from accessing or manipulating the host's process table.
Improves the isolation between containers and the host system, preventing potential privilege escalation attacks.
Cons:
Some workloads, such as debugging or monitoring tools, may require access to the hostPID namespace.
Requires configuration and careful planning to ensure that necessary workloads are not disrupted.
Default Value:
By default, containers are not configured to share the host process ID namespace unless explicitly specified in the pod's configuration.
Pre-requisites:
Ensure that PodSecurityPolicies (PSPs) or other admission controllers are in place to prevent containers from sharing the host process ID namespace unless explicitly allowed for trusted workloads.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications to verify that the hostPID setting is not enabled for containers unless required.
Ensure that PodSecurityPolicies or Admission Controllers are configured to restrict containers from sharing the host process ID namespace.
Using Azure CLI:
Use the following command to check if any containers are using the hostPID setting:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostPID}'Ensure that hostPID is set to false or is not specified unless required for specific workloads.
Verify that PodSecurityPolicy or other admission control policies are in place to prevent containers from using the hostPID namespace.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and access the Pod specifications.
Modify the Pod security context to prevent containers from sharing the hostPID namespace unless required:
securityContext: hostPID: false
Apply a PodSecurityPolicy (or other admission control mechanism) to restrict the use of the hostPID setting. A sample PodSecurityPolicy might look like:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostpid spec: hostPID: false
Apply this PodSecurityPolicy to ensure that containers cannot use the host PID namespace unless explicitly allowed.
Using Azure CLI:
Modify the Pod specification to prevent the use of the hostPID setting:
securityContext: hostPID: false
Apply the updated Pod configuration:
kubectl apply -f pod-spec.yaml
Create a PodSecurityPolicy that restricts the use of hostPID:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostpid spec: hostPID: false
Apply the PodSecurityPolicy:
kubectl apply -f pod-security-policy.yaml
Backout Plan:
Using Azure Console:
If restricting hostPID causes issues with legitimate workloads, revert the changes in the Azure portal by allowing containers to use the host PID namespace for specific workloads.
Using Azure CLI:
Revert the Pod specification to allow containers to use the hostPID setting by modifying the YAML configuration:
securityContext: hostPID: true
Apply the updated configuration:
kubectl apply -f pod-spec.yaml
Revert any PodSecurityPolicy changes by deleting the policy:
kubectl delete podsecuritypolicy restrict-hostpid
References:
Kubernetes Host PID Documentation
Kubernetes PodSecurityPolicy Documentation