Host Users

✓ Guardrail Kubernetes Guardrails Stable Deployment And Infrastructure

k8s.host-users

Requires workload PodSpecs to set hostUsers: false. User Namespaces (GA in Kubernetes v1.36) map container UIDs to unprivileged host UIDs so that a container escape no longer hands the attacker root on the node. Complements non-root — that check drops privilege inside the container; this one isolates UIDs across the kernel boundary. Target cluster must be on K8s >=1.36; workloads that legitimately need host UIDs (e.g. log shippers reading host paths) can be opted out via include/exclude in lunar-config.yml.

user namespaces hostUsers container escape least privilege kernel boundary

Get Started View All Kubernetes Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Host Users with each collector.

Host Users + Kubernetes Collector Provides parsed K8s manifest data that these policies evaluate

→

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

policies:
  - uses: github://earthly/lunar-lib/policies/k8s@v1.0.5
    include: [host-users]
    # with: ...

How This Guardrail Works

This guardrail is part of the Kubernetes Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works →

↓ Integrations Gather Data

Collectors extract metadata from code, CI pipelines, tool outputs, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ This Guardrail Checks Current

Host Users runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input	Required	Default	Description
`min_replicas`	Optional	`3`	Minimum replicas required for HPAs (default 3)
`max_limit_to_request_ratio`	Optional	`4`	Maximum ratio of limits to requests for CPU/memory (default 4)
`min_kubectl_version`	Optional	`1.28`	Minimum kubectl version required in CI (semver, e.g. "1.28")

Kubernetes Guardrails

This guardrail is part of the Kubernetes Guardrails policy, which includes 11 guardrails for deployment and infrastructure.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process

AI agent rules & prompt files

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Paste your AGENTS.md or manual process doc and get guardrails in minutes

Book a Demo