IPC namespace sharing is allowed
ID |
share_host_ipc |
Severity |
low |
Vendor |
Kubernetes |
Resource |
General Security |
Tags |
reachable |
Description
The host IPC namespace controls whether pod containers can be shared. You can administer cluster-level restrictions to ensure that containers remain isolated using PodSecurityPolicy and ensuring hostIPC is set to False.
Preventing sharing of host PID/IPC namespace, networking, and ports ensures proper isolation between Docker containers and the underlying host.
Examples
apiVersion: policy/v1beta1
kind: Pod
metadata:
name: bad
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: false
hostPorts:
- min: 0
max: 65535
hostPID: true
hostIPC: true (1)| 1 | Configuration hostIPC set to true means pod’s containers can be shared. |
Mitigation / Fix
apiVersion: policy/v1beta1
kind: Pod
metadata:
name: good
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostPID: false
hostIPC: false (1)| 1 | Configuration hostIPC set to false means pod’s containers cannot be shared. |