To enable process namespace sharing, simply set shareProcessNamespace=true in the Pod definition. The following example shows the effect of two containers sharing a process namespace in a Pod. The contents of the share-process-namespace.yaml configuration file are as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  shareProcessNamespace: true
  containers:
  - name: nginx
    image: nginx
  - name: shell
    image: busybox
    securityContext:
      capabilities:
        add:
        - SYS_PTRACE
    stdin: true
    tty: true

The main container is a service provided by nginx, and the other container is an error checking tool provided by busybox, named “shell”. The CAP_SYS_PTRACE capability has been added to the shell’s container’s securityContext.capabilities to provide process tracking capabilities.

Use the kubectl create command to create this Pod.

1
2

[root@master1 ~]# kubectl create -f share-process-namespace.yaml 
pod/nginx created

View container in Pod.

1
2

[root@master1 ~]# kubectl get pods nginx -o jsonpath={.spec.containers[*].name}
nginx shell

Go to the shell’s container environment and use the ps command to see all the processes of nginx and your own container.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

[root@master1 ~]# kubectl  exec -it nginx -c shell -- sh
/ # ps -elf
PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    6 root      0:00 nginx: master process nginx -g daemon off;
   35 101       0:00 nginx: worker process
   36 101       0:00 nginx: worker process
   37 root      0:00 sh
   42 root      0:00 sh
   47 root      0:00 ps -elf
/ #

Because the shell container is CAP_SYS_PTRACE capable, it can also send operating system signals to other processes, such as the SIGHUP signal to process 6 of nginx to restart the nginx program.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

/ # kill -SIGHUP 6
/ # ps -elf
PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    6 root      0:00 nginx: master process nginx -g daemon off;
   37 root      0:00 sh
   42 root      0:00 sh
   48 101       0:00 nginx: worker process
   49 101       0:00 nginx: worker process
   50 root      0:00 ps -elf
/ #

The original worker process of nginx (PIDs 35 and 36) is restarted and a new worker process with PIDs 48 and 49 is started.

A Pod environment with two containers sharing a process namespace has the following characteristics.

  • The process IDs (PIDs) of each container are mixed in an environment where neither has a startup process with process number PID=1 anymore, and process number 1 is used by the Pod’s Pause container. For some containers that must have process number 1 as the PID of the startup process, it will not be possible to start, such as containers with systemd as the start command.
  • Process information is visible across multiple containers. This includes all information in the /proc directory, which may have environment variables containing sensitive information such as passwords, which can only be controlled by UNIX file permissions, and requires setting the running user or group within a container.
  • A container’s filesystem exists in the /proc/$pid/root directory, so different containers can also access the contents of other containers’ filesystems, which is useful for debug checking, but also means that there is no container-level security isolation, and access control can only be done through UNIX file permissions, which requires setting the running user or group within the container.

For example, the contents of the nginx container’s configuration file can be viewed from within the shell container.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

/ # cat /proc/6/root/etc/nginx/nginx.conf 

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
/ #