Ensure containers do not share host IPC namespace
Error: Containers share host IPC namespace
Bridgecrew Policy ID: BC_K8S_17
Checkov Check ID: CKV_K8S_18
Severity: MEDIUM
Containers share host IPC namespace
Description
Pods share many resources, so it could make sense to share a process namespace. Some container images may expect to be isolated from other containers. Not sharing IPC namespaces helps ensure isolation. Containers in different pods have distinct IP addresses and will need special configuration to communicate by IPC.
Fix - Buildtime
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: hostIPC (Optional)
If true, the Pod uses the host's IPC namespace. Default to false.
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
+ hostIPC: false # or do not include hostIPC at all
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: <name>
spec:
schedule: <>
jobTemplate:
spec:
template:
spec:
+ hostIPC: false # or do not include hostIPC at all
apiVersion: <>
kind: <kind>
metadata:
name: <name>
spec:
template:
spec:
+ hostIPC: false # or do not include hostIPC at all
Updated 4 months ago