Detections
Analytics

Ensure 'procMount' is set to default in all Kubernetes workloads

MEDIUM

Description

Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by Kubernetes.

Remediation

The default /proc masks are set up to reduce attack surface, and should be required. Make sure your Kubernetes workload configuration has the securityContext field 'procMount' parameter is set to default. For more information, see the Kubernetes documentation.

References:
https://kubernetes.io/docs/concepts/security/pod-security-standards/

Policy Details

Rule Reference ID: AC_K8S_0077
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks