Skip to main content

☑️ Prevent containers from sharing the host's PID namespace

When a container is allowed to share its host's PID namespace, it can see and in some cases even kill processes running on the host outside of the container. This violates the principle of least privilege - you will likely never need a pod to access other processes outside of its own namespace.

Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? False

Policy as code identifier: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE


This rule will fail

If hostPID is set to true

spec:
hostPID: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from sharing the host's PID namespace [1 occurrence]
💡 Incorrect value for key `hostPID` - running on the host's PID namespace enables access to sensitive information from processes running outside the container

How to fix this failure

Set the hostPID to false or remove it completely

spec:
hostPID: false

Read more