yaml.kubernetes.security.hostpid-pod.hostpid-pod

semgrep

Author

418

Download Count*

License

Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: hostpid-pod
    patterns:
      - pattern-inside: |
          spec:
            ...
      - pattern: |
          hostPID: true
    message: Pod is sharing the host process ID namespace. When paired with ptrace
      this can be used to escalate privileges outside of the container. Remove
      the 'hostPID' key to disable this functionality.
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
      category: security
      technology:
        - kubernetes
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - yaml
    severity: WARNING

Examples

hostpid-pod.test.yaml

apiVersion: v1
kind: Pod
metadata:
  name: view-pid
spec:
  # ruleid: hostpid-pod
  hostPID: true
  containers:
    - name: nginx
      image: nginx

Short Link: https://sg.run/708R