Shared Host PID Namespace

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-004
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "Shared Host PID Namespace"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-265"
    rules.spotter.dev/description: "Pods that use the host PID namespace can see all processes on the node, which can be a security risk."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
          - "apps"
          - "serving.knative.dev"
        versions:
          - "v1"
        kinds:
          - Pod
          - Deployment
          - StatefulSet
          - DaemonSet
          - Configuration
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude: 
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == 'Pod' && has(object.spec.hostPID) && object.spec.hostPID == true) ||
    (object.kind == 'Configuration' && has(object.spec.template.spec.hostPID) && object.spec.template.spec.hostPID == true) ||
    (object.kind in ['Deployment', 'StatefulSet', 'DaemonSet'] && has(object.spec.template.spec.hostPID) && object.spec.template.spec.hostPID == true)
  remediation:
    manual: "Do not use the host PID namespace for pods unless it is absolutely necessary."
  references:
    - title: "Pod Security Standards"
      url: "https://kubernetes.io/docs/concepts/security/pod-security-standards/#host-namespaces"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: security-context-demo
    spec:
      hostPID: true
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      volumes:
        - name: sec-ctx-vol
          emptyDir: { }
      containers:
        - name: sec-ctx-demo
          image: busybox
          command: [ "sh", "-c", "sleep 1h" ]
          volumeMounts:
            - name: sec-ctx-vol
              mountPath: /data/demo
          securityContext:
            allowPrivilegeEscalation: false

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: serving.knative.dev/v1
    kind: Configuration
    metadata:
      name: dummy-config
      namespace: knative-sequence
    spec:
      template:
        spec:
          hostPID: true
          securityContext:
            runAsUser: 1000
            runAsGroup: 3000
            fsGroup: 2000
          volumes:
            - name: sec-ctx-vol
              emptyDir: { }
          containers:
            - name: sec-ctx-demo
              image: busybox
              command: [ "sh", "-c", "sleep 1h" ]
              volumeMounts:
                - name: sec-ctx-vol
                  mountPath: /data/demo
              securityContext:
                allowPrivilegeEscalation: false

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: security-context-demo
    spec:
      hostPID: false
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      volumes:
        - name: sec-ctx-vol
          emptyDir: { }
      containers:
        - name: sec-ctx-demo
          image: busybox
          command: [ "sh", "-c", "sleep 1h" ]
          volumeMounts:
            - name: sec-ctx-vol
              mountPath: /data/demo
          securityContext:
            allowPrivilegeEscalation: false

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: serving.knative.dev/v1
    kind: Configuration
    metadata:
      name: dummy-config
      namespace: knative-sequence
    spec:
      template:
        spec:
          hostPID: false
          securityContext:
            runAsUser: 1000
            runAsGroup: 3000
            fsGroup: 2000
          volumes:
            - name: sec-ctx-vol
              emptyDir: { }
          containers:
            - name: sec-ctx-demo
              image: busybox
              command: [ "sh", "-c", "sleep 1h" ]
              volumeMounts:
                - name: sec-ctx-vol
                  mountPath: /data/demo
              securityContext:
                allowPrivilegeEscalation: false

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-workload-004
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-workload-004
spec:
  # Add your VAP configuration here

Rule Metadata

Shared Host PID Namespace

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub