Containers should not use the host IPC namespace
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | Kubernetes | PERMISSION |
Description
Inter-Process Communications (IPC) namespaces allow containers to share information easily, in order to synchronize their processes. The Host IPC is a high-level namespace, and granting access to it might be tempting, as it simplifies communications handling. However, it also make all of your resources vulnerable to one compromised container.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | False |
In case of a compromised container, the host's data is exposed, and attackers might take control of the host.
Remediation guidelines
Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostIPC' to 'false'.
References
Was this page helpful?
