Containers should not use the host IPC namespace
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Kubernetes | PERMISSION |
Description
Inter-Process Communications (IPC) namespaces allow containers to share information easily, in order to synchronize their processes. The Host IPC is a high-level namespace, and granting access to it might be tempting, as it simplifies communications handling. However, it also make all of your resources vulnerable to one compromised container.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
In case of a compromised container, the host's data is exposed, and attackers might take control of the host.
Remediation guidelines
Disallow access to the host namespace. This can be done by changing 'containers[].securityContext.spec.hostIPC' to 'false'.