Kubernetes Security Specialist (CKS): Exam Cram Notes by Specialist IP

Author:Specialist, IP
Language: eng
Format: epub
Published: 2022-05-15T00:00:00+00:00

As shown in Figure 4-02, if the setting called a hostIPC= true is set to true, containers will use the host's interprocess communication namespace. Interprocess communication is just a feature of Linux that allows processes to communicate. Normally, our containers use a separate IPC namespace, which means there is no way for a container process to communicate with other processes on the host or with other containers. This limits the potential for an attacker to utilize that to potentially interact with and compromise other system components. So, if we set host IPC to true, the containers in this Pod will be utilizing the host IPC namespace. However, we must avoid this setting because the isolation provided by having a separate namespace is beneficial to security. Another setting, called hostnetwork, controls the network namespace, where we have hostPID. If we set it to true, containers will use the host process ID namespace. All three of these settings instruct our containers to use the host namespace in each one of those different areas rather than using their own separate isolated namespace. As all of these settings are set to false, by default, if you do not specify any of those three settings, you can rest easy knowing that your containers are properly isolated using their namespaces rather than the host namespace. Thus, the most important thing to remember is to use hostIPC, hostNetwork, and hostPID only when necessary. Do not use settings unnecessarily because it is good from a security standpoint to have that isolation and not use the host namespace.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.