Share Process Namespace between Containers in a Pod

    You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Process namespace sharing is enabled using the field of .spec for a Pod. For example:

      1. kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml

    2. Attach to the shell container and run ps:

      1. kubectl attach -it nginx -c shell

      If you don’t see a command prompt, try pressing enter. In the container shell:

      The output is similar to this:

      1. PID   USER     TIME  COMMAND
      2.     8 root      0:00 nginx: master process nginx -g daemon off;
      3.    14 101       0:00 nginx: worker process
      4.    15 root      0:00 sh

    You can signal processes in other containers. For example, send SIGHUP to nginx to restart the worker process. This requires the SYS_PTRACE capability.

    1. # run this inside the "shell" container
    2. kill -HUP 8   # change "8" to match the PID of the nginx leader process, if necessary
    3. ps ax

    It’s even possible to access the file system of another container using the /proc/$pid/root link.

    1. # run this inside the "shell" container
    2. # change "8" to the PID of the Nginx process, if necessary
    3. head /proc/8/root/etc/nginx/nginx.conf

    The output is similar to this:

    3. error_log  /var/log/nginx/error.log warn;
    4. pid        /var/run/nginx.pid;
    7. events {
    8.     worker_connections  1024;

    Pods share many resources so it makes sense they would also share a process namespace. Some containers may expect to be isolated from others, though, so it’s important to understand the differences:

    1. The container process no longer has PID 1. Some containers refuse to start without PID 1 (for example, containers using systemd) or run commands like kill -HUP 1 to signal the container process. In pods with a shared process namespace, kill -HUP 1 will signal the pod sandbox (/pause in the above example).