PSP Allows Containers To Share The Host Network Namespace
- Query id: a33e9173-b674-4dfb-9d82-cf3754816e4b
- Query name: PSP Allows Containers To Share The Host Network Namespace
- Platform: Kubernetes
- Severity: High
- Category: Insecure Configurations
- CWE: 250
- URL: Github
Description¶
Check if Pod Security Policies allow containers to share the host network namespace.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: false
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'