Skip to main content

lacework-global-650

4.2.3 Minimize the execution of container workloads sharing the host IPC namespace (Automated)

Profile Applicability

• Level 1

Description

Do not generally permit containers to be run with the hostIPC flag set to true.

Rationale

A container running in the host's IPC namespace can use IPC to interact with processes outside the container.

Impact

Pods defined with spec.hostIPC: true will not be permitted.

Audit

The following command returns pods which have the spec.hostIPC flag set to true.

Run the command and verify that it does not return any pods:

kubectl get pods -o jsonpath="{range.items[?(@.spec.hostIPC==true)]}{.metadata.name}{'\n'}{end}"

Remediation

Update pod configurations to ensure that the spec.hostIPC flag is false or not set (will default to false if not set).

The following example explicitly sets the hostIPC flag to false:

apiVersion: v1
kind: Pod
metadata:
    name: my-pod
spec:
    hostIPC: false
    containers:
    - name: hello-world
      image: hello-world

References

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#podspec-v1-core https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod