Hamburger Cross Icon
Kubernetes Guardrails - Host Ipc

Host Ipc

Guardrail Kubernetes Guardrails Stable Deployment And Infrastructure
k8s.host-ipc

Fails when workload PodSpecs set hostIPC: true. Sharing the host's IPC namespace exposes node-wide System V IPC and POSIX shared memory to the container, which can be abused to read or tamper with other workloads' shared-memory state. Workloads that genuinely need host IPC can opt out via include/exclude in lunar-config.yml.

hostIPC IPC namespace shared memory container escape least privilege
Get Started View All Kubernetes Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Host Ipc with each collector.

+
Host Ipc + Kubernetes Collector Provides parsed K8s manifest data that these policies evaluate

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/k8s@v1.0.5
    include: [host-ipc]
    # with: ...

How This Guardrail Works

This guardrail is part of the Kubernetes Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Host Ipc runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input Required Default Description
min_replicas Optional 3 Minimum replicas required for HPAs (default 3)
max_limit_to_request_ratio Optional 4 Maximum ratio of limits to requests for CPU/memory (default 4)
min_kubectl_version Optional 1.28 Minimum kubectl version required in CI (semver, e.g. "1.28")

Related Guardrails

Other guardrails in the Kubernetes Guardrails policy.

Guardrail Deployment And Infrastructure
Valid

Validates that all Kubernetes manifests in the repository are syntactically correct and conform to K8s schema. Invalid...
Guardrail Deployment And Infrastructure
Requests And Limits

Ensures all containers have CPU and memory requests and limits defined. Missing resource specs can cause scheduling...
Guardrail Deployment And Infrastructure
Probes

Requires liveness and readiness probes on all containers. Probes enable Kubernetes to detect unhealthy pods and route...
Guardrail Deployment And Infrastructure
Min Replicas

Enforces minimum replica counts on HorizontalPodAutoscalers. Ensures services maintain capacity during scaling events...
Guardrail Deployment And Infrastructure
Pdb

Requires PodDisruptionBudgets for Deployments and StatefulSets. PDBs protect availability during voluntary disruptions...
Guardrail Deployment And Infrastructure
Non Root

Requires containers to run as non-root users via securityContext. Running as root inside containers violates least...
View all 11 guardrails in Kubernetes Guardrails
Kubernetes Guardrails

Kubernetes Guardrails

This guardrail is part of the Kubernetes Guardrails policy, which includes 11 guardrails for deployment and infrastructure.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo