yaml.kubernetes.security.hostipc-pod.hostipc-pod

semgrep

Author

418

Download Count*

License

Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: hostipc-pod
    patterns:
      - pattern-inside: |
          spec:
            ...
      - pattern: |
          hostIPC: true
    message: Pod is sharing the host IPC namespace. This allows container processes
      to communicate with processes on the host which reduces isolation and
      bypasses container protection models. Remove the 'hostIPC' key to disable
      this functionality.
    metadata:
      cwe:
        - "CWE-693: Protection Mechanism Failure"
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
      category: security
      technology:
        - kubernetes
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - yaml
    severity: WARNING

Examples

hostipc-pod.test.yaml

apiVersion: v1
kind: Pod
metadata:
  name: view-pid
spec:
  # ruleid: hostipc-pod
  hostIPC: true
  containers:
    - name: nginx
      image: nginx

Short Link: https://sg.run/nqGO