Pods should not run containers wishing to share the host process ID namespace

Description

A container that runs with hostPID set has visibility into processes running on the host, which could expose information including environment variables to an attacker.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that a Kubernetes.Pod has hostPID set to false, or not specified. By default, hostPID is set to false.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
  hostPID: false
# other required fields here