Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Minimize Admission of Containers Sharing the Host Process ID Namespace

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that containers are prohibited from being admitted if they have "hostPID" set to true. The "hostPID" flag should be restricted because it allows containers to share the host operating system's Process ID (PID) namespace. Sharing the host's PID namespace grants the container the ability to view, and potentially interact with, all processes running on the host node, including those belonging to the Kubernetes system (like the Kubelet) or other isolated containers.

Security

Since a container in the host's PID namespace can inspect external processes, and potentially escalate privileges if granted ptrace capabilities, an admission control policy must be defined to block host PID sharing. If containers require **hostPID: true**, implement a separate, restrictive policy. Access to this policy must be strictly governed, allowing use only by limited service accounts and users.

Audit

To determine if the containers are permitted to operate with the "hostPID" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the following command to list the names of all Pods across all namespaces and filter the command output for containers with "hostPID" flag set to true:

    kubectl get pods --all-namespaces -o json | jq -r '.items[] | select(.spec.hostPID == true) | "\(.metadata.namespace)/\(.metadata.name)"'

  10. The command output should return the requested information:

    dev/monitoring-agent-abc
dev/canal-abcd1234
dev/kube-proxy-123abc
dev/proxymux-client-abc123

    If the command output returns one or more results, it indicates that Pods are running within the selected OKE cluster that violate the security restriction against host PID namespace sharing (i.e., containers are permitted to run with hostPID: true).

Remediation / Resolution

To ensure that containers are not permitted to run with the "hostPID" flag set to true, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the kubectl get namespaces command to identify your Kubernetes user-workload namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  10. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your implementation:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
dev                  Active   16d
staging              Active   16d
prod                 Active   16d

  11. The Baseline and Restricted Pod Security Standard (PSS) profiles, when enforced at the namespace level, disallow the use of hostPID: true. To block Pods using host Process ID (PID) sharing, run the kubectl label command for each Kubernetes user-workload namespace where enforcement is desired. This command applies the appropriate security policy. By using a label such as pod-security.kubernetes.io/enforce=baseline, you instruct the Kubernetes API server that any new Pod in that namespace must comply with the Baseline security policy. Once this enforcement label is applied, the API server will reject any Pod creation request in that namespace if a container's security context explicitly sets hostPID: true. Replace \<user-workload-namespace\> with the name of your own namespace:

    kubectl label namespace <user-workload-namespace> pod-security.kubernetes.io/enforce=baseline

  12. The command output should return the name of the labeled user-workload-namespace:

    namespace/<user-workload-namespace> labeled

References

Publication date Dec 11, 2025

Related OCI-OKE rules