Containers · Term

What is host namespace sharing?

Containers are isolated by Linux namespaces. Sharing a host namespace (--pid=host, --net=host, --ipc=host) punches a hole in that isolation and opens direct paths to the host. Here is what each one exposes.

Containers · TermCloud Penetration Testing
TL;DR

Host namespace sharing is running a container with flags like `--pid=host`, `--net=host`, or `--ipc=host` (or the Kubernetes equivalents hostPID, hostNetwork, hostIPC), which place the container in the host’s namespace instead of its own. That removes a layer of isolation: with hostPID the container sees and can signal host processes (and read their memory), with hostNetwork it shares the host’s network and local services. Each shared namespace is a direct path toward host compromise.

By John Dill, Red Team Lead, SecureLayer7Updated

What namespace sharing is

Namespaces are the Linux feature that gives a container its own view of the system: its own process list (PID), its own network stack (NET), its own IPC, and so on. That separate view is most of what makes a container isolated.

Sharing a host namespace puts the container back into the host’s view for that dimension. The container is no longer looking at its own isolated slice, it is looking at the host’s, which is exactly the isolation you were relying on.

What each shared namespace exposes

Each flag opens a different door:

  • `--pid=host`: the container sees all host processes. With the right capability it can read their memory (secrets, tokens) via /proc/<pid>/ or inject into them, and nsenter can drop into the host.
  • `--net=host`: the container shares the host network, reaching services bound to localhost (databases, the kubelet, cloud metadata) that were never meant to be exposed.
  • `--ipc=host`: shared memory access to host and other containers.

Documented techniques shown for defenders.

How to defend

  • Do not set `hostPID`, `hostNetwork`, or `hostIPC` on application workloads.
  • Block them with Pod Security Standards (restricted) and admission control in Kubernetes.
  • Audit compose files and manifests for --pid=host / network_mode: host and the pod-spec equivalents.
  • Bind host services to specific interfaces, not 0.0.0.0, so hostNetwork exposure is limited.
  • Combine with dropping capabilities so a shared namespace is less useful to an attacker.

References

  1. [1]Docker docs: Container runtime options(Docker)
  2. [2]Kubernetes docs: Pod Security Standards(Kubernetes)
  3. [3]NIST SP 800-190 Application Container Security Guide(NIST)
Related terms

Common questions

Container security, asked often

Want your containers and clusters tested for these paths?

Scope an engagement

Find the container escape paths before an attacker does.

We test your Docker hosts and Kubernetes clusters the way a real intruder would, from a compromised pod to the node and the rest of the cluster, then hand your team reproducible evidence and a fix for every step. Free re-test included.

See cloud penetration testing30-min scoping call, fixed-price proposal in 48 hours.