Skip to main content

☑️ Prevent Windows containers from running with unnecessary privileges

Windows HostProcess containers enable you to run containerized workloads on a Windows host. These containers operate as normal processes but have access to the host network namespace, storage, and devices when given the appropriate user privileges.

HostProcess containers run directly on the host and maintain behavior and access similar to that of a regular process. With HostProcess containers, users can package and distribute management operations and functionalities that require host access.

Since HostProcess containers enable privileged access to the Windows node, it's recommended to disallow privileged access to the host.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: EKS_INVALID_HOSTPROCESS_VALUE

This rule will fail

If hostProcess is set to true:

hostProcess: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent Windows containers from running with unnecessary privileges [1 occurrence]
💡 Incorrect value for key `hostProcess` - don't set or set to false to prevent unnecessary privileges

How to fix this failure

runAsUserName: "ContainerUser"

Read more