Share Process Namespace between Containers in a Pod

This page shows how to configure process namespace sharing for a pod. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod.

You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Configure a Pod

Process namespace sharing is enabled using the shareProcessNamespace field of .spec for a Pod. For example:

pods/share-process-namespace.yaml Share Process Namespace between Containers in a Pod - 图1

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. name: nginx
  5. spec:
  6. shareProcessNamespace: true
  7. containers:
  8. - name: nginx
  9. image: nginx
  10. - name: shell
  11. image: busybox:1.28
  12. securityContext:
  13. capabilities:
  14. add:
  15. - SYS_PTRACE
  16. stdin: true
  17. tty: true
  1. Create the pod nginx on your cluster:

    1. kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
  2. Attach to the shell container and run ps:

    1. kubectl attach -it nginx -c shell

    If you don’t see a command prompt, try pressing enter. In the container shell:

    1. # run this inside the "shell" container
    2. ps ax

    The output is similar to this:

    1. PID USER TIME COMMAND
    2. 1 root 0:00 /pause
    3. 8 root 0:00 nginx: master process nginx -g daemon off;
    4. 14 101 0:00 nginx: worker process
    5. 15 root 0:00 sh
    6. 21 root 0:00 ps ax

You can signal processes in other containers. For example, send SIGHUP to nginx to restart the worker process. This requires the SYS_PTRACE capability.

  1. # run this inside the "shell" container
  2. kill -HUP 8 # change "8" to match the PID of the nginx leader process, if necessary
  3. ps ax

The output is similar to this:

  1. PID USER TIME COMMAND
  2. 1 root 0:00 /pause
  3. 8 root 0:00 nginx: master process nginx -g daemon off;
  4. 15 root 0:00 sh
  5. 22 101 0:00 nginx: worker process
  6. 23 root 0:00 ps ax

It’s even possible to access the file system of another container using the /proc/$pid/root link.

  1. # run this inside the "shell" container
  2. # change "8" to the PID of the Nginx process, if necessary
  3. head /proc/8/root/etc/nginx/nginx.conf

The output is similar to this:

  1. user nginx;
  2. worker_processes 1;
  3. error_log /var/log/nginx/error.log warn;
  4. pid /var/run/nginx.pid;
  5. events {
  6. worker_connections 1024;

Understanding process namespace sharing

Pods share many resources so it makes sense they would also share a process namespace. Some containers may expect to be isolated from others, though, so it’s important to understand the differences:

  1. The container process no longer has PID 1. Some containers refuse to start without PID 1 (for example, containers using systemd) or run commands like kill -HUP 1 to signal the container process. In pods with a shared process namespace, kill -HUP 1 will signal the pod sandbox (/pause in the above example).

  2. Processes are visible to other containers in the pod. This includes all information visible in /proc, such as passwords that were passed as arguments or environment variables. These are protected only by regular Unix permissions.

  3. Container filesystems are visible to other containers in the pod through the /proc/$pid/root link. This makes debugging easier, but it also means that filesystem secrets are protected only by filesystem permissions.