Skip to content

k8s-host-namespace

Containers should not share the host namespaces

Containers configured to share the host namespaces break process isolation and gain additional visibility on processes and resources running on the host. These may be used to extract sensitive information such as secrets or to snoop on network traffic. Unless absolutely required by your workflow, containers should not be permitted to access the host namespaces.

Configuration

  • hostIPC: Controls whether the pod containers can share the host IPC namespace.
  • hostNetwork: Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
  • hostPID: Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
  • hostPorts: Provides a list of ranges of allowable ports in the host network namespace. Defined as a list of HostPortRange, with min(inclusive) and max(inclusive). Defaults to no allowed host ports.
  • securityContext.runAsUser: In order to avoid sharing UID namespace with the host, you MUST explicitely set UID to be a High UID with a value greater or equal to 10000.

Examples

Insecure Example

apiVersion: v1
kind: Pod
metadata:
  name: default
spec:
  hostIPC: true
  hostNetwork: true
  hostPID: true
  containers:
    - name: app
      image: registry/image:tag
      ports:
      - containerPort: 80
      - containerPort: 443
        hostPort: 443 #  Do this, only if strictly necessary
  securityContext:
    runAsUser: 0

Secure Example

apiVersion: v1
kind: Pod
metadata:
  name: default
spec:
  hostIPC: null  # Defaults to false if when unset or null anyway
  hostNetwork: false
  hostPID: false
  containers:
    - name: app
      image: registry/image:tag
      ports:
      - containerPort: 80
      - containerPort: 443 # Not using hostPort here...
  securityContext:
    runAsUser: 12000 # MUST be a UID >= 10000

More information