Profile Applicability:
Level 1
Description:
In Kubernetes, PIDs (Process IDs) are used to identify processes running within a pod. By default, there is no limit on the number of processes that can be created within a pod, which can lead to resource exhaustion and potential denial-of-service (DoS) attacks. This check ensures that a limit is set on the number of PIDs that can be created by each pod, preventing excessive resource consumption and enhancing security.
Rationale:
Setting a limit on the number of PIDs in a pod helps ensure that individual pods do not consume excessive system resources, which could negatively affect the stability of the cluster. Without limits, a pod could spawn an excessive number of processes, leading to issues such as host resource exhaustion or interference with other pods running on the same node.
Impact:
Pros:
Prevents excessive consumption of system resources (like CPU and memory) by controlling the number of processes.
Reduces the risk of a single pod consuming excessive resources and affecting the stability of the cluster.
Helps protect against fork bomb attacks or other types of resource exhaustion attacks.
Cons:
Some workloads may require a larger number of processes, and setting a limit could potentially cause failures if the process limit is too low.
Requires careful planning and testing to ensure that legitimate workloads are not impacted by the PID limit.
Default Value:
By default, Kubernetes does not set a limit on the number of processes that can be created within a pod. The limit must be explicitly configured in the pod's resource settings.
Pre-requisites:
Ensure that PodSecurityPolicies or equivalent admission controllers are in place to enforce the PID limit configuration.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod configurations to check if a PID limit is set for each pod.
Ensure that PodSecurityPolicies or other enforcement mechanisms are in place to restrict pod PIDs from exceeding the defined limit.
Using Azure CLI:
1. List all pods and check the securityContext configuration for pidLimit:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.securityContext.pidLimit}'2. Ensure that the pidLimit field is set to a reasonable value for all pods
3. Check for PodSecurityPolicies to ensure that the pidLimit is being enforced for new pods:
kubectl get podsecuritypolicy --all-namespaces
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and navigate to Pod specifications.
Set a PID limit in the securityContext for each pod that requires a restriction on the number of processes:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
pidLimit: 100
containers:
- name: my-container
image: my-imageApply the configuration across the cluster, ensuring that all pods have a PID limit set to prevent resource exhaustion.
Using Azure CLI:
1. To set a PID limit for a pod, modify the Pod specification YAML file:
securityContext: pidLimit: 100 # Set the desired limit
2. Apply the updated Pod configuration:
kubectl apply -f pod-spec.yaml
3. If using PodSecurityPolicies to enforce the PID limit, define the policy in a YAML file:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-pid-limit spec: pidLimit: 100 # Set the desired limit
4. Apply the PodSecurityPolicy using:
kubectl apply -f podsecuritypolicy.yaml
Backout Plan:
Using Azure Console:
If setting the PID limit causes issues with workloads, revert the changes in the Azure portal by removing or adjusting the pidLimit configuration in the Pod specifications.
Using Azure CLI:
1. Revert the Pod specification by removing the pidLimit setting or adjusting it to a higher value:
securityContext: pidLimit: <new-limit>
2. Apply the updated configuration:
kubectl apply -f pod-spec.yaml`
References:
Kubernetes Pod Security Context Documentation
Kubernetes PodSecurityPolicy Documentation