C-0006 - Allowed hostPath

Allowed hostPath

Framework

NSA, ArmoBest

Description of the the issue

hostPath mount can be used by attackers to get access to the underlying host and thus break from the container to the host. (See “3: Writable hostPath mount” for details).

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check in POD spec if there are hostPath mounts.

Remediation

Refrain from using host path mount.

Example

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:   #we are looking for this parameter 
      path: /data
     

Did this page help you?