Pods should not run containers wishing to share the host IPC namespace

Description

Minimize the admission of containers wishing to share the host IPC namespace. A container that runs with hostIPC set has the ability to interact with processes running on the host via shared memory and other interprocess communication (IPC) mechanisms.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that a Kubernetes.Pod has hostIPC set to false, or not specified. By default, hostIPC is set to false.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
  hostIPC: false
# other required fields here