Containers should not share the host namespaces
Containers configured to share the host namespaces break process isolation and gain additional visibility on processes and resources running on the host. These may be used to extract sensitive information such as secrets or to snoop on network traffic. Unless absolutely required by your workflow, containers should not be permitted to access the host namespaces.
- hostIPC: Controls whether the pod containers can share the host IPC namespace.
- hostNetwork: Controls whether the pod may use the node network namespace. Doing so gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node.
- hostPID: Controls whether the pod containers can share the host process ID namespace. Note that when paired with ptrace this can be used to escalate privileges outside of the container (ptrace is forbidden by default).
- hostPorts: Provides a list of ranges of allowable ports in the host network namespace. Defined as a list of HostPortRange, with min(inclusive) and max(inclusive). Defaults to no allowed host ports.
- securityContext.runAsUser: In order to avoid sharing UID namespace with the host, you MUST explicitely set UID to be a High UID with a value greater or equal to 10000.
apiVersion: v1 kind: Pod metadata: name: default spec: hostIPC: true hostNetwork: true hostPID: true containers: - name: app image: registry/image:tag ports: - containerPort: 80 - containerPort: 443 hostPort: 443 # Do this, only if strictly necessary securityContext: runAsUser: 0
apiVersion: v1 kind: Pod metadata: name: default spec: hostIPC: null # Defaults to false if when unset or null anyway hostNetwork: false hostPID: false containers: - name: app image: registry/image:tag ports: - containerPort: 80 - containerPort: 443 # Not using hostPort here... securityContext: runAsUser: 12000 # MUST be a UID >= 10000