Using host operating system namespaces breaks container isolation and can lead to compromise of the host system.
Sharing host operating system namespaces (PID, IPC, or network) with containers opens new attack surfaces for attackers who have already exploited services exposed by containers. These namespaces expose host processes, inter-process communication mechanisms, and network services of the local host system. Host network sharing could provide a performance advantage for workloads that require critical network performance, but the successful exploitation of this attack vector could have a catastrophic impact on the confidentiality, integrity, and availability of the host or cluster.
An attacker who compromises a container with host namespace access can extend their attack to the host system. They may be able to view or interact with sensitive host processes, intercept inter-process communications, or reach network services that are only intended to be accessible locally.
- name: Deploy example container
hosts: localhost
gather_facts: false
tasks:
- name: Run container
community.docker.docker_container:
name: example
image: nginx
state: started
pid_mode: host # Noncompliant
ipc_mode: host # Noncompliant
network_mode: host # Noncompliant
ports:
- "80:80"
- name: Deploy example container
hosts: localhost
gather_facts: false
tasks:
- name: Run container
community.docker.docker_container:
name: example
image: nginx
state: started
pid_mode: private
ipc_mode: none
network_mode: none
ports:
- "80:80"