Profile Applicability:

  • Level 1

Description:
 Containers that share the host’s Inter-Process Communication (IPC) namespace can access and interact with the host’s memory and other IPC resources. This increases the risk of privilege escalation and container breakout, as the container can potentially read or modify the host’s memory. This check ensures that containers are not allowed to share the host IPC namespace unless absolutely necessary.

Rationale:
 Allowing containers to share the host IPC namespace exposes sensitive resources to the container, which can be exploited in case of a compromise. Minimizing the use of the host IPC namespace ensures that containers do not inadvertently gain access to host memory or other resources, reducing security risks and maintaining the isolation between containers and the host system.

Impact:

  • Pros:

    • Reduces the attack surface by preventing containers from accessing the host IPC namespace.

    • Enhances security by ensuring better isolation between containers and the host system.

  • Cons:

    • Some applications that require direct IPC access (e.g., certain monitoring tools) may require sharing the host IPC namespace.

    • Restricting IPC access may cause issues for specific use cases or workloads that need it.

Default Value:
 By default, Kubernetes does not allow containers to share the host’s IPC namespace unless explicitly configured to do so.

Pre-requisites:
 Ensure that PodSecurityPolicies or other security mechanisms are in place to prevent containers from sharing the host’s IPC namespace unless required.

Remediation

Test Plan:

Using Azure Console:

  1. Review the pod or container specifications to check if the hostIPC flag is set to true for any pods.

  2. Ensure that containers which do not need access to the host IPC namespace do not have hostIPC: true enabled.

Using Azure CLI:

  1. Use the following command to check the hostIPC setting for containers:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostIPC}'

  2. Ensure that the hostIPC field is not set to true unless absolutely required.

Implementation Plan:

Using AWS Console:

  1. Access the pod or container specification settings.

  2. Ensure that the hostIPC field is set to false or not set at all for pods that do not need to share the host IPC namespace.

  3. For any pods that require access to the host IPC namespace, ensure that the need is legitimate and the container has adequate security controls.

Using AWS CLI:

  1. Update the pod configuration to prevent the container from sharing the host IPC namespace by editing the pod spec:

    kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Add or modify the hostIPC: false setting in the spec.

Backout Plan:

Using Azure Console:

  1. If restricting access to the host IPC namespace causes issues, revert the configuration to allow specific containers to access it by setting hostIPC: true.

Using Azure CLI:

  1. Revert the hostIPC setting by editing the pod or container spec to allow access to the host IPC namespace:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set hostIPC: true where necessary.

References:

  1. Kubernetes Pod Security Policies Documentation

  2. Kubernetes Security Best Practices