Privilege Escalation: Workload with shareProcessNamespace enabled
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
Someone deployed a workload with the shareProcessNamespace option set to
true, allowing all containers to share the same Linux process namespace. This
could allow an untrusted or compromised container to escalate privileges by
accessing and controlling environment variables, memory, and other sensitive
data from processes running in other containers. Some workloads might require
this functionality to operate for legitimate reasons, such as log handling
sidecar containers or debugging containers. For more details, see the log
message for this alert.
How to respond
To respond to this finding, do the following:
Confirm that the workload actually requires access to a shared process
namespace for all containers in the workload.
Check whether there are other signs of malicious activity by the principal in
the audit logs in Cloud Logging.
If the principal isn't a service account (IAM or Kubernetes),
contact the owner of the account to confirm whether they conducted the
action.
If the principal is a service account (IAM or Kubernetes),
identify the legitimacy of what caused the service account to perform this
action.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Privilege Escalation: Workload with shareProcessNamespace enabled\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nSomeone deployed a workload with the `shareProcessNamespace` option set to\n`true`, allowing all containers to share the same Linux process namespace. This\ncould allow an untrusted or compromised container to escalate privileges by\naccessing and controlling environment variables, memory, and other sensitive\ndata from processes running in other containers. Some workloads might require\nthis functionality to operate for legitimate reasons, such as log handling\nsidecar containers or debugging containers. For more details, see the log\nmessage for this alert.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n1. Confirm that the workload actually requires access to a shared process namespace for all containers in the workload.\n2. Check whether there are other signs of malicious activity by the principal in the audit logs in Cloud Logging.\n3. If the principal isn't a service account (IAM or Kubernetes), contact the owner of the account to confirm whether they conducted the action.\n4. If the principal is a service account (IAM or Kubernetes), identify the legitimacy of what caused the service account to perform this action.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
