MKE users must not have permissions to create containers or pods that share the host user namespace.
An XCCDF Rule
Description
<VulnDiscussion>To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. User namespaces ensure that a root process inside the container will be mapped to a nonroot process outside the container. Sharing the user namespaces of the host with the container thus does not isolate users on the host with users on the containers. By default, the host user namespace is shared with the containers until user namespace support is enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-260939r966174_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
When using Kubernetes orchestration, this check is Not Applicable.
When using Swarm orchestration, review and remove nonsystem containers previously created by these users without the runAsGroup using:
docker container rm [container]