☑️ Prevent Windows containers from running with unnecessary privileges
Windows HostProcess containers enable you to run containerized workloads on a Windows host. These containers operate as normal processes but have access to the host network namespace, storage, and devices when given the appropriate user privileges.
HostProcess containers run directly on the host and maintain behavior and access similar to that of a regular process. With HostProcess containers, users can package and distribute management operations and functionalities that require host access.
Since HostProcess containers enable privileged access to the Windows node, it's recommended to disallow privileged access to the host.
Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: easy (What does this mean?)
Policy as code identifier: EKS_INVALID_HOSTPROCESS_VALUE
This rule will fail
If hostProcess is set to true:
spec:
securityContext:
windowsOptions:
hostProcess: true
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent Windows containers from running with unnecessary privileges [1 occurrence]
💡 Incorrect value for key `hostProcess` - don't set or set to false to prevent unnecessary privileges
How to fix this failure
spec:
securityContext:
windowsOptions:
runAsUserName: "ContainerUser"