Title

MKE users must not have permissions to create containers or pods that share the host user namespace. (Cat II impact)

Discussion

To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. User namespaces ensure that a root process inside the container will be mapped to a nonroot process outside the container. Sharing the user namespaces of the host with the container thus does not isolate users on the host with users on the containers. By default, the host user namespace is shared with the containers until user namespace support is enabled.

Check Content

When using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, ensure that the PIDs cgroup limit is used. Log in to the CLI as an MKE Admin and execute the following command using a Universal Control Plane (MKE) client bundle: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}' Ensure it does not return any value for UsernsMode. If it returns a value of "host", that means the host user namespace is shared with the containers, and this is a finding.

Fix Text

When using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, review and remove nonsystem containers previously created by these users without the runAsGroup using: docker container rm [container]

Additional Identifiers

Rule ID: SV-260939r966174_rule

Vulnerability ID: V-260939

Group Title: SRG-APP-000342-CTR-000775

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.