Disallow Host Process

Description

Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are stable as of Kubernetes 1.26.

Restricted Fields

  • spec.securityContext.windowsOptions.hostProcess
  • spec.containers[*].securityContext.windowsOptions.hostProcess
  • spec.initContainers[*].securityContext.windowsOptions.hostProcess
  • spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess

Allowed Values

  • Undefined/nil
  • false

Risks

HostProcess determines if a container should be run as a ‘Host Process’ container. All of a Pod’s containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true. When hostProcess is set to true, we will encounter the following risks:

  • Privileged Access: Windows HostProcess containers run with elevated privileges on the host node. This grants them the ability to interact directly with the Windows host system,

  • Network Traffic Snooping: Enabling hostNetwork allows a pod to access the node’s network namespace, which includes the ability to monitor all network traffic on the node. This could lead to sensitive data exposure if an attacker manages to deploy a malicious pod that can snoop on network communications.

  • Access Services Bound to Localhost: You can gain access to services that are only available on the host’s loopback interface or are otherwise restricted by network policies. These services could present opportunities for privilege escalation.

  • Bypassing Network Policies: When a pod is deployed with hostNetwork: true, it can bypass restrictive network policies applied to the namespace. This occurs because the pod is bound to the host’s network interfaces rather than being confined to the network restrictions at the pod level.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-host-process.yaml

References

Configuration Settings

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.windowsOptions.hostProcess, field is present, then the only acceptable value is false to be conformant with this security control. If the securityContext.windowsOptions.hostProcess field is not present, then the resource is conformant by default.

=(ephemeralContainers):
  - =(securityContext):
    =(windowsOptions):
      =(hostProcess): "false"
=(initContainers):
  - =(securityContext):
    =(windowsOptions):
      =(hostProcess): "false"
containers:
  - =(securityContext):
    =(windowsOptions):
      =(hostProcess): "false"

Resource Example

Below is a Deployment resource example where securityContext.windowsOptions.hostProcess is set to false for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      hostNetwork: true
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          windowsOptions:
            hostProcess: false
      - name: initcontainer02
        image: dummyimagename
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          windowsOptions:
            hostProcess: false