Using host operating system namespaces breaks container isolation and can lead to compromise of the host system.

Why is this an issue?

Sharing host operating system namespaces (PID, IPC, or network) with containers opens new attack surfaces for attackers who have already exploited services exposed by containers. These namespaces expose host processes, inter-process communication mechanisms, and network services of the local host system. Host network sharing could provide a performance advantage for workloads that require critical network performance, but the successful exploitation of this attack vector could have a catastrophic impact on the confidentiality, integrity, and availability of the host or cluster.

What is the potential impact?

An attacker who compromises a container with host namespace access can extend their attack to the host system. They may be able to view or interact with sensitive host processes, intercept inter-process communications, or reach network services that are only intended to be accessible locally.

How to fix it

Code examples

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
  hostPID: true     # Noncompliant
  hostIPC: true     # Noncompliant
  hostNetwork: true # Noncompliant

Compliant solution

apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
    - name: web
      image: nginx
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
  hostPID: false
  hostIPC: false
  hostNetwork: false

Resources

Standards

• CWE - CWE-653 - Improper Isolation or Compartmentalization