Skip to content

Containers share host IPC namespace

Description

Pods share many resources, so it could make sense to share a process namespace. Some container images may expect to be isolated from other containers. Not sharing IPC namespaces helps ensure isolation. Containers in different pods have distinct IP addresses and will need special configuration to communicate by IPC.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: hostIPC (Optional)
    If true, the Pod uses the host's IPC namespace. Default to false.

```yaml Pod apiVersion: v1 kind: Pod metadata: name: spec: + hostIPC: false # or do not include hostIPC at all

```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
+          hostIPC: false # or do not include hostIPC at all

yaml Other apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: + hostIPC: false # or do not include hostIPC at all