PSP Allows Sharing Host PID

  • Query id: 91dacd0e-d189-4a9c-8272-5999a3cc32d9
  • Query name: PSP Allows Sharing Host PID
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Pod Security Policy allows containers to share the host process ID namespace
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: true
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  hostPID: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny