☑️ Prevent containers from sharing the host's PID namespace

When a container is allowed to share its host's PID namespace, it can see and in some cases even kill processes running on the host outside of the container. This violates the principle of least privilege - you will likely never need a pod to access other processes outside of its own namespace.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE

This rule will fail

If hostPID is set to true

spec:
  hostPID: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from sharing the host's PID namespace [1 occurrence]
💡 Incorrect value for key `hostPID` - running on the host's PID namespace enables access to sensitive information from processes running outside the container

How to fix this failure

Set the hostPID to false or remove it completely

spec:
  hostPID: false

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more