Profile Applicability:

  • Level 1

Description:
 Sharing the host 
IPC (Inter-Process Communication) namespace allows containers to access the same IPC resources as the host. While this feature can be useful in certain scenarios, it poses significant security risks by giving containers the ability to access host processes and memory. This check ensures that containers are restricted from sharing the host IPC namespace unless explicitly required, reducing the risk of unauthorized access to the host system.

Rationale:
 Allowing containers to share the 
IPC namespace with the host enables them to interact with shared memory, semaphores, and message queues, which could lead to data leaks or unauthorized access to the host system. By minimizing the admission of containers with this configuration, you reduce the attack surface and prevent containers from gaining unnecessary access to the host system's IPC resources.

Impact:

Pros:

  • Reduces security risks by preventing containers from accessing host IPC resources.

  • Enhances the isolation of containers from the host system.

Cons:

  • Some applications may require access to the host IPC namespace to function properly, such as inter-container communication or monitoring tools.

  • Requires careful configuration to ensure that containers that legitimately need host IPC access are still able to do so.

Default Value:
 By default, containers do not share the host IPC namespace unless explicitly specified in the pod's configuration. Kubernetes does not enable the sharing of the IPC namespace by default.

Pre-requisites:
 Ensure that 
PodSecurityPolicies (PSPs) or another admission controller is in place to restrict containers from sharing the host IPC namespace unless explicitly allowed for trusted workloads.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Pod configurations and check if hostIPC is set to true for any containers.

  3. Ensure that PodSecurityPolicies or Admission Controllers are configured to restrict containers from sharing the host IPC namespace.

Using Azure CLI:

  1. Use the following command to check if any containers are using the hostIPC setting:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostIPC}'

    Ensure that hostIPC is set to false or is not specified unless required for specific workloads.

  2. Verify that PodSecurityPolicy or other admission controllers are applied to block the use of hostIPC unless necessary.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to your AKS cluster and access the Pod specifications.

Modify the Pod security context to prevent containers from sharing the host IPC namespace unless necessary:

securityContext:
  hostIPC: false

Apply a PodSecurityPolicy (or other admission control mechanism) to restrict the use of the hostIPC setting. A sample PodSecurityPolicy to enforce this might look like:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-hostipc
spec:
  hostIPC: false
  1. Apply this PodSecurityPolicy to ensure that containers cannot share the host IPC namespace unless explicitly allowed.

Using Azure CLI:

Modify the Pod specification to prevent the use of the hostIPC setting by adding the following:

securityContext:
  hostIPC: false

Apply the updated Pod configuration:

 kubectl apply -f pod-spec.yaml

Create a PodSecurityPolicy that restricts the use of hostIPC:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-hostipc
spec:
  hostIPC: false

Apply the PodSecurityPolicy using:

 kubectl apply -f pod-security-policy.yaml

Backout Plan:

Using Azure Console:

  1. If restricting hostIPC causes issues with legitimate workloads, revert the changes in the Azure portal by allowing containers to use the host IPC namespace where required.

Using Azure CLI:

Revert the Pod specification to allow containers to use the hostIPC setting by modifying the YAML configuration:

securityContext:
  hostIPC: true

Apply the updated configuration:

 kubectl apply -f pod-spec.yaml

Revert any PodSecurityPolicy changes by deleting the policy:

 kubectl delete podsecuritypolicy restrict-hostipc

References:

  1. Kubernetes Host IPC Documentation

  2. Azure Kubernetes Service (AKS) Best Practices
    Kubernetes PodSecurityPolicy Documentation