Profile Applicability:
Level 1
Description:
Sharing the host IPC (Inter-Process Communication) namespace allows containers to access the same IPC resources as the host. While this feature can be useful in certain scenarios, it poses significant security risks by giving containers the ability to access host processes and memory. This check ensures that containers are restricted from sharing the host IPC namespace unless explicitly required, reducing the risk of unauthorized access to the host system.
Rationale:
Allowing containers to share the IPC namespace with the host enables them to interact with shared memory, semaphores, and message queues, which could lead to data leaks or unauthorized access to the host system. By minimizing the admission of containers with this configuration, you reduce the attack surface and prevent containers from gaining unnecessary access to the host system's IPC resources.
Impact:
Pros:
Reduces security risks by preventing containers from accessing host IPC resources.
Enhances the isolation of containers from the host system.
Cons:
Some applications may require access to the host IPC namespace to function properly, such as inter-container communication or monitoring tools.
Requires careful configuration to ensure that containers that legitimately need host IPC access are still able to do so.
Default Value:
By default, containers do not share the host IPC namespace unless explicitly specified in the pod's configuration. Kubernetes does not enable the sharing of the IPC namespace by default.
Pre-requisites:
Ensure that PodSecurityPolicies (PSPs) or another admission controller is in place to restrict containers from sharing the host IPC namespace unless explicitly allowed for trusted workloads.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod configurations and check if hostIPC is set to true for any containers.
Ensure that PodSecurityPolicies or Admission Controllers are configured to restrict containers from sharing the host IPC namespace.
Using Azure CLI:
Use the following command to check if any containers are using the hostIPC setting:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.hostIPC}'
Ensure that hostIPC is set to false or is not specified unless required for specific workloads.
Verify that PodSecurityPolicy or other admission controllers are applied to block the use of hostIPC unless necessary.
Implementation Plan:
Using Azure Console:
In the Azure portal, go to your AKS cluster and access the Pod specifications.
Modify the Pod security context to prevent containers from sharing the host IPC namespace unless necessary:
securityContext: hostIPC: false
Apply a PodSecurityPolicy (or other admission control mechanism) to restrict the use of the hostIPC setting. A sample PodSecurityPolicy to enforce this might look like:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostipc spec: hostIPC: false
Apply this PodSecurityPolicy to ensure that containers cannot share the host IPC namespace unless explicitly allowed.
Using Azure CLI:
Modify the Pod specification to prevent the use of the hostIPC setting by adding the following:
securityContext: hostIPC: false
Apply the updated Pod configuration:
kubectl apply -f pod-spec.yaml
Create a PodSecurityPolicy that restricts the use of hostIPC:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrict-hostipc spec: hostIPC: false
Apply the PodSecurityPolicy using:
kubectl apply -f pod-security-policy.yaml
Backout Plan:
Using Azure Console:
If restricting hostIPC causes issues with legitimate workloads, revert the changes in the Azure portal by allowing containers to use the host IPC namespace where required.
Using Azure CLI:
Revert the Pod specification to allow containers to use the hostIPC setting by modifying the YAML configuration:
securityContext: hostIPC: true
Apply the updated configuration:
kubectl apply -f pod-spec.yaml
Revert any PodSecurityPolicy changes by deleting the policy:
kubectl delete podsecuritypolicy restrict-hostipc
References:
Kubernetes Host IPC Documentation
Azure Kubernetes Service (AKS) Best Practices
Kubernetes PodSecurityPolicy Documentation