Share Process Namespace between Containers in a Pod

    This page shows how to configure process namespace sharing for a pod. When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.

    You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

    Your Kubernetes server must be at or later than version v1.10. To check the version, enter kubectl version.

    1. Create the pod nginx on your cluster:

      1. kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml

    2. Attach to the shell container and run ps:

      If you don’t see a command prompt, try pressing enter.

      1. / # ps ax
      2.     1 root      0:00 /pause
      4.    14 101       0:00 nginx: worker process
      5.    15 root      0:00 sh
      6.    21 root      0:00 ps ax

    It’s even possible to access another container image using the /proc/$pid/root link.

    1. / # head /proc/8/root/etc/nginx/nginx.conf
    3. user  nginx;
    4. worker_processes  1;
    5. error_log  /var/log/nginx/error.log warn;
    6. pid        /var/run/nginx.pid;
    9. events {
    10.     worker_connections  1024;

    Pods share many resources so it makes sense they would also share a process namespace. Some container images may expect to be isolated from other containers, though, so it’s important to understand these differences:

    1. The container process no longer has PID 1. Some container images refuse to start without PID 1 (for example, containers using systemd) or run commands like kill -HUP 1 to signal the container process. In pods with a shared process namespace, kill -HUP 1 will signal the pod sandbox. (/pause in the above example.)

    2. Processes are visible to other containers in the pod. This includes all information visible in , such as passwords that were passed as arguments or environment variables. These are protected only by regular Unix permissions.