CV-C004: Host PID mode
Error Security
Why This Matters
Setting pid: host shares the host PID namespace with the container. Container processes can see and potentially signal all host processes, including those running as root. This breaks process isolation and can be exploited for container escape.
How to Fix
Remove pid: host unless actively debugging host processes
Before (incorrect)
services:
web:
pid: hostAfter (correct)
services:
web:
# pid: host removedRule Details
- Rule Code
- CV-C004
- Severity
- Error
- Category
- Security