C-0038 - Host PID/IPC privileges

Framework

WorkloadScan, ClusterScan, security, ArmoBest, NSA, AllControls

Severity

High

Description of the the issue

Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.

Remediation

Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.

Example

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
spec:
  containers:
  - image: ubuntu
    name: ubuntu
  hostIPC: true # we look for this attribute and 
  hostPID: true # we look for this attribute