← Back to Mirantis Kubernetes Engine Security Technical Implementation Guide

V-260939

CAT II (Medium)

MKE users must not have permissions to create containers or pods that share the host user namespace.

Rule ID

SV-260939r966174_rule

STIG

Mirantis Kubernetes Engine Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-002233

Discussion

To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. User namespaces ensure that a root process inside the container will be mapped to a nonroot process outside the container. Sharing the user namespaces of the host with the container thus does not isolate users on the host with users on the containers. By default, the host user namespace is shared with the containers until user namespace support is enabled.

Check Content

When using Kubernetes orchestration, this check is Not Applicable.

When using Swarm orchestration, ensure that the PIDs cgroup limit is used.

Log in to the CLI as an MKE Admin and execute the following command using a Universal Control Plane (MKE) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'

Ensure it does not return any value for UsernsMode. If it returns a value of "host", that means the host user namespace is shared with the containers, and this is a finding.

Fix Text

When using Kubernetes orchestration, this check is Not Applicable.
 
When using Swarm orchestration, review and remove nonsystem containers previously created by these users without the runAsGroup using:

docker container rm [container]