|Container||Container||Lateral Movement, TA0008|
Represents a relationship between containers within the same pod that share a process namespace.
Pods represent one or more containers with shared storage and network resources. Optionally, containers within the same pod can elect to share a process namespace with a flag in the pod spec.
Access to a container within a pod running other containers with shared process namespaces
See the example pod spec.
Consider the following spec, with two containers sharing a process namespace:
From within the shell container, simply run:
Without namespace sharing, no outside processes would be visible. However, with this specification we would expect an output similar to the below where the nginx processes from the other container are visible:
Various options are possible here based on the attacker end goal. Ultimately it is possible to gain full control of other containers within the shared namespace. The easiest vector is to directly access the filesystem of the other container using the
/proc/$pid/root link. Sticking with the previous example, running the below should display the contents of the nginx config file:
Defence in depth
Prevent the use of shared namespaces in pods, where containers have different risk profiles. Ideally these types of containers should be run within separate pods.