k8s-host-namespace¶
Containers should not share the host namespaces
Containers configured to share the host namespaces break process isolation and gain additional visibility on processes and resources running on the host. These may be used to extract sensitive information such as secrets or to snoop on network traffic. Unless absolutely required by your workflow, containers should not be permitted to access the host namespaces.
Configuration¶
- hostIPC: Controls whether the pod containers can share the host IPC namespace.
- hostNetwork: Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
- hostPID: Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
- hostPorts: Provides a list of ranges of allowable ports in the host network namespace. Defined as a list of HostPortRange, with min(inclusive) and max(inclusive). Defaults to no allowed host ports.
- securityContext.runAsUser: In order to avoid sharing UID namespace with the host, you MUST explicitely set UID to be a High UID with a value greater or equal to 10000.
Examples¶
Insecure Example
apiVersion: v1
kind: Pod
metadata:
name: default
spec:
hostIPC: true
hostNetwork: true
hostPID: true
containers:
- name: app
image: registry/image:tag
ports:
- containerPort: 80
- containerPort: 443
hostPort: 443 # Do this, only if strictly necessary
securityContext:
runAsUser: 0
Secure Example
apiVersion: v1
kind: Pod
metadata:
name: default
spec:
hostIPC: null # Defaults to false if when unset or null anyway
hostNetwork: false
hostPID: false
containers:
- name: app
image: registry/image:tag
ports:
- containerPort: 80
- containerPort: 443 # Not using hostPort here...
securityContext:
runAsUser: 12000 # MUST be a UID >= 10000