Skip to main content

☑️ Prevent containers from sharing the host's IPC namespace

By default, containers only share IPC resources within the same pod. When a container is allowed to share its host's IPC namespace, it has access to the same inter-process mechanisms as other processes running outside of the container runtime.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE


This rule will fail

If hostIPC is set to true

spec:
hostIPC: true

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from sharing the host’s IPC namespace [1 occurrence]
💡 Incorrect value for key `hostIPC` - running on the host’s IPC namespace can be (maliciously) used to interact with other processes running outside the container

How to fix this failure

Set the hostIPC to false or remove it completely

spec:
hostIPC: false

Read more