hostPID:When enabled, the container shares the host’s process namespace → container can see and potentially interact with host processes.
SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).
Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation.
Other options explained:
hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification.
hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification.
A:Incorrect — such combinationsdo exist(like B).
[References:, Kubernetes Docs — Configure a Pod to use hostPID: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/, Linux Capabilities man page: https://man7.org/linux/man-pages/man7/capabilities.7.html, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit