Pods should not run containers wishing to share the host IPC namespace


Minimize the admission of containers wishing to share the host IPC namespace. A container that runs with hostIPC set has the ability to interact with processes running on the host via shared memory and other interprocess communication (IPC) mechanisms.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that a Kubernetes.Pod has hostIPC set to false, or not specified. By default, hostIPC is set to false.

Example Configuration

apiVersion: v1
kind: Pod
  name: hello
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
  hostIPC: false
# other required fields here