Containers sharing sensitive host namespaces should be avoided

What does this mean?

Sharing host namespaces (PID, IPC, network) with containers breaks the isolation boundary between the container and the host. This can expose host processes, allow inter-process communication attacks, or enable network-level access to host services.

Benefits of implementation

• Maintains strong isolation between containers and the host
• Prevents visibility into host processes from within a container
• Required by CIS Kubernetes Benchmark

Drawbacks and considerations

• Some system-level tools or debugging containers need host namespace access
• Network monitoring tools may require host network namespace
• Exceptions must be carefully evaluated and documented

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.