Action Item: Host IPC

See how to check your host ICP configurations with Fairwinds Insights.

Transcript

Hello, I’m Nung Bedell and I'm a customer reliability engineer at Fairwinds. In this video, I'm going to take you through the Host IPC Should Not Be Configured Insights action item.

What is IPC? IPC is inter-process communication mechanism of an operating system that allows processes to communicate with each other and synchronize all their actions. The communication between these processes can be seen as a method of cooperation between them. Processes can communicate with each other through both shared memory and message passing.

Why should hostIPC not be configured? The hostIPC namespace controls whether a pod's containers can be shared. You can administer cluster-level restrictions to ensure that containers remain isolated using role-based access control, RBAC, via a pod security policy, ensuring that hostIPC is set to False. Preventing the sharing of hostIPC namespace ensures proper isolation between Docker containers and the underlying host.

Restricting hostIPC configuration can be handled via a pod security policy, or on an individual workload, such as a pod. Here, we have a pod security policy, where in the spec, we've set the hostIPC to False. Next, we've created a cluster role where we've granted access to that policy. And then finally, we've created a ClusterRoleBinding, binding the role to a service count. In this example, we're taking a pod workload and in the spec, we called out hostIPC set to false.

In conclusion, setting the hostIPC to false further hardens your Kubernetes deployments. HostIPC can be configured on individual workloads and/or one can configure a pod security policy and then bind it to a role to accomplish this on a larger scale within your cluster.