Containers share host IPC namespace
Description
Pods share many resources, so it could make sense to share a process namespace. Some container images may expect to be isolated from other containers. Not sharing IPC namespaces helps ensure isolation. Containers in different pods have distinct IP addresses and will need special configuration to communicate by IPC.
Code Example
yaml
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
+ hostIPC: false # or do not include hostIPCRemediation
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Arguments: hostIPC (Optional) If true, the Pod uses the host's IPC namespace. Default to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1096 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_18 |