Container Runs Unmasked

  • Query id: f922827f-aab6-447c-832a-e1ff63312bd3
  • Query name: Container Runs Unmasked
  • Platform: Kubernetes
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 1188
  • URL: Github

Description

Check if a container has full access (unmasked) to the host's /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    kubernetes.io/description: 'restricted psp for all standard use-cases'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  name: restricted
spec:
  allowPrivilegeEscalation: false                   # Disallow privilege escalation to any special capabilities
  allowedProcMountTypes:
    - Unmasked
  fsGroup:                                          # disallow root fsGroups for volume mounts
    rule: MustRunAs
    ranges:
      - max: 65535
        min: 1
  hostIPC: false                                    # disallow sharing the host IPC namespace
  hostNetwork: false                                # disallow host networking
  hostPID: false                                    # disallow sharing the host process ID namespace
  hostPorts:                                        # disallow low host ports (this seems to only apply to eth0 on EKS)
    - max: 65535
      min: 1025
  privileged: false                                 # disallow privileged pods
  readOnlyRootFilesystem: true                      # change default from 'false' to 'true'
  requiredDropCapabilities:                         # Drop all privileges in the Linux kernel
    - AUDIT_CONTROL
    - CHOWN
  runAsGroup:                                       # disallow GID 0 for pods (block root group)
    rule: MustRunAs
    ranges:
      - max: 65535
        min: 1
  runAsUser:                                        # disallow UID 0 for pods
    rule: MustRunAsNonRoot
  seLinux:                                          # Harness for SELinux
    rule: RunAsAny
  supplementalGroups:                               # restrict supplemental GIDs to be non-zero (non-root)
    rule: MustRunAs
    ranges:
    - max: 65535
      min: 1
  volumes:                                          # allow only these volume types
  - configMap
  - downwardAPI
  - emptyDir
  - projected
  - secret

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    kubernetes.io/description: 'restricted psp for all standard use-cases'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  name: restricted
spec:
  allowPrivilegeEscalation: false                   # Disallow privilege escalation to any special capabilities
  allowedProcMountTypes:
    - Default                                       # Disallow full /proc mounts, only allow the "default" masked /proc
  fsGroup:                                          # disallow root fsGroups for volume mounts
    rule: MustRunAs
    ranges:
      - max: 65535
        min: 1
  hostIPC: false                                    # disallow sharing the host IPC namespace
  hostNetwork: false                                # disallow host networking
  hostPID: false                                    # disallow sharing the host process ID namespace
  hostPorts:                                        # disallow low host ports (this seems to only apply to eth0 on EKS)
    - max: 65535
      min: 1025
  privileged: false                                 # disallow privileged pods
  readOnlyRootFilesystem: true                      # change default from 'false' to 'true'
  requiredDropCapabilities:                         # Drop all privileges in the Linux kernel
    - AUDIT_CONTROL
    - CHOWN
  runAsGroup:                                       # disallow GID 0 for pods (block root group)
    rule: MustRunAs
    ranges:
      - max: 65535
        min: 1
  runAsUser:                                        # disallow UID 0 for pods
    rule: MustRunAsNonRoot
  seLinux:                                          # Harness for SELinux
    rule: RunAsAny
  supplementalGroups:                               # restrict supplemental GIDs to be non-zero (non-root)
    rule: MustRunAs
    ranges:
    - max: 65535
      min: 1
  volumes:                                          # allow only these volume types
  - configMap
  - downwardAPI
  - emptyDir
  - projected
  - secret